From 7664f65d3a953e15101c26486283de5e6b456671 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 20 Apr 2016 13:56:18 -0400
Subject: [PATCH] [SECURITY] Require login to preview user CSS pages

Anon users have predictable edit tokens, hence someone could
force an anon to execute arbitrary CSS by means of a CSRF.

Bug: T133147
Change-Id: I442b2b46cadb967aaa1f35648eff183fc7eaa475
---
 includes/OutputPage.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index c724207..414f941 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3061,7 +3061,6 @@ class OutputPage extends ContextSource {
 		// This must use TYPE_COMBINED instead of only=scripts so that its request is handled by
 		// mw.loader.implement() which ensures that execution is scheduled after the "site" module.
 		if ( $this->getConfig()->get( 'AllowUserJs' )
-			&& $this->getUser()->isLoggedIn()
 			&& $this->getTitle()
 			&& $this->getTitle()->isJsSubpage()
 			&& $this->userCanPreview()
@@ -3287,6 +3286,11 @@ class OutputPage extends ContextSource {
 		}
 
 		$user = $this->getUser();
+
+		if ( !$this->getUser()->isLoggedIn() ) {
+			// Anons have predictable edit tokens
+			return false;
+		}
 		if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
 			return false;
 		}
-- 
2.0.1