From f32d20c6e9f918bef959e50a259668984781513d Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Tue, 13 Jan 2015 12:30:26 -0800 Subject: [PATCH] SECURITY: Add an edit token to Special:CheckUser Bug: T85858 Change-Id: I8b86ae48058ab85975b48a40008e91027387f5f8 --- i18n/en.json | 1 + i18n/qqq.json | 1 + specials/SpecialCheckUser.php | 5 ++++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/i18n/en.json b/i18n/en.json index 60119ae..884c852 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -78,6 +78,7 @@ "checkuser-email-action": "sent an email to user \"$1\"", "checkuser-reset-action": "reset password for user \"$1\"", "checkuser-toollinks": "[[http://whois.domaintools.com/$1 RDNS] ·\n[http://www.robtex.com/rbls/$1.html RBLs] ·\n[http://www.dnsstuff.com/tools/tracert.ch?ip=$1 Traceroute] ·\n[http://www.ip2location.com/$1 Geolocate] ·\n[http://toolserver.org/~overlordq/scripts/checktor.fcgi?ip=$1 Tor check] ·\n[http://whois.arin.net/rest/ip/$1 WHOIS]]", + "checkuser-token-fail": "Session failure. Please try again.", "group-checkuser.css": "/* CSS placed here will affect checkuser only */", "group-checkuser.js": "/* JS placed here will affect checkuser only */", "apihelp-query+checkuser-description": "Check which IPs are used by a given username or which usernames are used by a given IP.", diff --git a/i18n/qqq.json b/i18n/qqq.json index 05ee545..d2a3348 100644 --- a/i18n/qqq.json +++ b/i18n/qqq.json @@ -95,6 +95,7 @@ "checkuser-email-action": "Logged text when a user sends an e-mail. Probably preceded by the name of the checkuser.\n\nParameters:\n* $1 - a salted MD5 hash for the user an email was sent to", "checkuser-reset-action": "Logged text when a user resets a password. Parameters:\n* $1 - the username for which the password was reset. Can be used for GENDER.", "checkuser-toollinks": "{{notranslate}}\nParameters:\n* $1 - IP address", + "checkuser-token-fail": "Error message shown when the CSRF token does not match the current session.", "group-checkuser.css": "{{doc-group|checkuser|css}}", "group-checkuser.js": "{{doc-group|checkuser|js}}", "apihelp-query+checkuser-description": "{{doc-apihelp-description|query+checkuser}}", diff --git a/specials/SpecialCheckUser.php b/specials/SpecialCheckUser.php index c5b1ab1..1804f26 100644 --- a/specials/SpecialCheckUser.php +++ b/specials/SpecialCheckUser.php @@ -48,7 +48,9 @@ class CheckUser extends SpecialPage { # Perform one of the various submit operations... if ( $request->wasPosted() ) { - if ( $request->getVal( 'action' ) === 'block' ) { + if ( !$this->getUser()->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) { + $this->getOutput()->wrapWikiMsg( '
$1
', 'checkuser-token-fail' ); + } elseif ( $request->getVal( 'action' ) === 'block' ) { $this->doMassUserBlock( $users, $blockreason, $tag, $talkTag ); } elseif ( !$this->checkReason( $reason ) ) { $this->getOutput()->addWikiMsg( 'checkuser-noreason' ); @@ -168,6 +170,7 @@ class CheckUser extends SpecialPage { $form .= ''; $form .= Xml::closeElement( 'table' ); $form .= ''; + $form .= Html::hidden( 'wpEditToken', $this->getUser()->getEditToken() ); $form .= Xml::closeElement( 'form' ); # Output form $this->getOutput()->addHTML( $form ); -- 2.1.0