From 5d23655cc46737ce1f41620a51de280de1d62a22 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Wed, 13 Nov 2013 11:11:35 -0800
Subject: [PATCH] SECURITY: Add CSRF check to CreateCategory

https://bugzilla.mozilla.org/show_bug.cgi?id=928470
---
 specials/SF_CreateCategory.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/specials/SF_CreateCategory.php b/specials/SF_CreateCategory.php
index 991575b..b0e2830 100644
--- a/specials/SF_CreateCategory.php
+++ b/specials/SF_CreateCategory.php
@@ -60,7 +60,8 @@ class SFCreateCategory extends SpecialPage {
 		$category_name_error_str = null;
 		$save_page = $wgRequest->getCheck( 'wpSave' );
 		$preview_page = $wgRequest->getCheck( 'wpPreview' );
-		if ( $save_page || $preview_page ) {
+		$validToken = $this->getUser()->matchEditToken( $wgRequest->getVal( 'csrf' ), 'CreateCategory' );
+		if ( $validToken && ( $save_page || $preview_page ) ) {
 			// Validate category name
 			if ( $category_name === '' ) {
 				$category_name_error_str = wfMessage( 'sf_blank_error' )->text();
@@ -113,6 +114,8 @@ class SFCreateCategory extends SpecialPage {
 		$secondRow .= Html::rawElement( 'select', array( 'id' => 'category_dropdown', 'name' => 'parent_category' ), $selectBody );
 		$text .= Html::rawElement( 'p', null, $secondRow ) . "\n";
 
+		$text .= Html::hidden( 'csrf', $this->getUser()->getEditToken( 'CreateCategory' ) );
+
 		$editButtonsText = "\t" . Html::input( 'wpSave', wfMessage( 'savearticle' )->text(), 'submit', array( 'id' => 'wpSave' ) ) . "\n";
 		$editButtonsText .= "\t" . Html::input( 'wpPreview', wfMessage( 'preview' )->text(), 'submit', array( 'id' => 'wpPreview' ) ) . "\n";
 		$text .= "\t" . Html::rawElement( 'div', array( 'class' => 'editButtons' ), $editButtonsText ) . "\n";
-- 
1.8.1.4