From 4d7fbf6d87e169469df4f12fa563846d2a310f29 Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Tue, 4 Jun 2013 11:14:42 -0400 Subject: [PATCH] Prevent tokens in jsonp mode Add checks to token-returning functions to prevent returning tokens in jsonp mode. This affects action=tokens, action=login, action=createaccount, and action=query&list=deletedrevs. Also, remove the "gettoken" parameter to action=block and action=unblock, which has been deprecated since 1.20. Bug: 49090 Change-Id: Ibeaa5c72d8084585092b15935a3f5709104bf7f7 --- RELEASE-NOTES-1.22 | 3 +++ includes/api/ApiBlock.php | 15 --------------- includes/api/ApiCreateAccount.php | 4 ++++ includes/api/ApiLogin.php | 9 +++++++++ includes/api/ApiMain.php | 10 ++-------- includes/api/ApiQueryDeletedrevs.php | 5 +++++ includes/api/ApiTokens.php | 5 +++++ includes/api/ApiUnblock.php | 15 --------------- 8 files changed, 28 insertions(+), 38 deletions(-) diff --git a/RELEASE-NOTES-1.22 b/RELEASE-NOTES-1.22 index 42462dd..d84f14d 100644 --- a/RELEASE-NOTES-1.22 +++ b/RELEASE-NOTES-1.22 @@ -155,6 +155,9 @@ production. * prop=info now adds the content model and page language of the title. * New upload log entries will now contain information on the relavent image (sha1 and timestamp). +* Support for the 'gettoken' parameter to action=block and action=unblock, + deprecated since 1.20, has been removed. +* (bug 49090) Token-getting functions will fail when using jsonp callbacks. === Languages updated in 1.22=== diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php index ab0a7e9..975153a 100644 --- a/includes/api/ApiBlock.php +++ b/includes/api/ApiBlock.php @@ -42,12 +42,6 @@ class ApiBlock extends ApiBase { $user = $this->getUser(); $params = $this->extractRequestParams(); - if ( $params['gettoken'] ) { - $res['blocktoken'] = $user->getEditToken(); - $this->getResult()->addValue( null, $this->getModuleName(), $res ); - return; - } - if ( !$user->isAllowed( 'block' ) ) { $this->dieUsageMsg( 'cantblock' ); } @@ -156,10 +150,6 @@ class ApiBlock extends ApiBase { ApiBase::PARAM_REQUIRED => true ), 'token' => null, - 'gettoken' => array( - ApiBase::PARAM_DFLT => false, - ApiBase::PARAM_DEPRECATED => true, - ), 'expiry' => 'never', 'reason' => '', 'anononly' => false, @@ -177,7 +167,6 @@ class ApiBlock extends ApiBase { return array( 'user' => 'Username, IP address or IP range you want to block', 'token' => 'A block token previously obtained through prop=info', - 'gettoken' => 'If set, a block token will be returned, and no other action will be taken', 'expiry' => 'Relative expiry time, e.g. \'5 months\' or \'2 weeks\'. If set to \'infinite\', \'indefinite\' or \'never\', the block will never expire.', 'reason' => 'Reason for block', 'anononly' => 'Block anonymous users only (i.e. disable anonymous edits for this IP)', @@ -194,10 +183,6 @@ class ApiBlock extends ApiBase { public function getResultProperties() { return array( '' => array( - 'blocktoken' => array( - ApiBase::PROP_TYPE => 'string', - ApiBase::PROP_NULLABLE => true - ), 'user' => array( ApiBase::PROP_TYPE => 'string', ApiBase::PROP_NULLABLE => true diff --git a/includes/api/ApiCreateAccount.php b/includes/api/ApiCreateAccount.php index 59ff324..3b95a63 100644 --- a/includes/api/ApiCreateAccount.php +++ b/includes/api/ApiCreateAccount.php @@ -29,6 +29,10 @@ */ class ApiCreateAccount extends ApiBase { public function execute() { + // If we're in JSON callback mode, no tokens can be obtained + if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) { + $this->dieUsage( 'Cannot create account when using a callback', 'aborted' ); + } // $loginForm->addNewaccountInternal will throw exceptions // if wiki is read only (already handled by api), user is blocked or does not have rights. diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php index b936d3b..b51d441 100644 --- a/includes/api/ApiLogin.php +++ b/includes/api/ApiLogin.php @@ -46,6 +46,15 @@ class ApiLogin extends ApiBase { * is reached. The expiry is $this->mLoginThrottle. */ public function execute() { + // If we're in JSON callback mode, no tokens can be obtained + if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) { + $this->getResult()->addValue( null, 'login', array( + 'result' => 'Aborted', + 'reason' => 'Cannot log in when using a callback', + ) ); + return; + } + $params = $this->extractRequestParams(); $result = array(); diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 5ddb3ab..4de3da8 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -714,15 +714,9 @@ class ApiMain extends ApiBase { } $moduleParams = $module->extractRequestParams(); - // Die if token required, but not provided (unless there is a gettoken parameter) - if ( isset( $moduleParams['gettoken'] ) ) { - $gettoken = $moduleParams['gettoken']; - } else { - $gettoken = false; - } - + // Die if token required, but not provided $salt = $module->getTokenSalt(); - if ( $salt !== false && !$gettoken ) { + if ( $salt !== false ) { if ( !isset( $moduleParams['token'] ) ) { $this->dieUsageMsg( array( 'missingparam', 'token' ) ); } else { diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php index 690d0e6..8273313 100644 --- a/includes/api/ApiQueryDeletedrevs.php +++ b/includes/api/ApiQueryDeletedrevs.php @@ -57,6 +57,11 @@ class ApiQueryDeletedrevs extends ApiQueryBase { $fld_content = isset( $prop['content'] ); $fld_token = isset( $prop['token'] ); + // If we're in JSON callback mode, no tokens can be obtained + if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) { + $fld_token = false; + } + $result = $this->getResult(); $pageSet = $this->getPageSet(); $titles = $pageSet->getTitles(); diff --git a/includes/api/ApiTokens.php b/includes/api/ApiTokens.php index 7080f54..d220a5e 100644 --- a/includes/api/ApiTokens.php +++ b/includes/api/ApiTokens.php @@ -48,6 +48,11 @@ class ApiTokens extends ApiBase { } private function getTokenTypes() { + // If we're in JSON callback mode, no tokens can be obtained + if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) { + return array(); + } + static $types = null; if ( $types ) { return $types; diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php index 55e7331..6a739a2 100644 --- a/includes/api/ApiUnblock.php +++ b/includes/api/ApiUnblock.php @@ -39,12 +39,6 @@ class ApiUnblock extends ApiBase { $user = $this->getUser(); $params = $this->extractRequestParams(); - if ( $params['gettoken'] ) { - $res['unblocktoken'] = $user->getEditToken(); - $this->getResult()->addValue( null, $this->getModuleName(), $res ); - return; - } - if ( is_null( $params['id'] ) && is_null( $params['user'] ) ) { $this->dieUsageMsg( 'unblock-notarget' ); } @@ -96,10 +90,6 @@ class ApiUnblock extends ApiBase { ), 'user' => null, 'token' => null, - 'gettoken' => array( - ApiBase::PARAM_DFLT => false, - ApiBase::PARAM_DEPRECATED => true, - ), 'reason' => '', ); } @@ -110,7 +100,6 @@ class ApiUnblock extends ApiBase { 'id' => "ID of the block you want to unblock (obtained through list=blocks). Cannot be used together with {$p}user", 'user' => "Username, IP address or IP range you want to unblock. Cannot be used together with {$p}id", 'token' => "An unblock token previously obtained through prop=info", - 'gettoken' => 'If set, an unblock token will be returned, and no other action will be taken', 'reason' => 'Reason for unblock', ); } @@ -118,10 +107,6 @@ class ApiUnblock extends ApiBase { public function getResultProperties() { return array( '' => array( - 'unblocktoken' => array( - ApiBase::PROP_TYPE => 'string', - ApiBase::PROP_NULLABLE => true - ), 'id' => array( ApiBase::PROP_TYPE => 'integer', ApiBase::PROP_NULLABLE => true -- 1.7.10.4