From 460a3015cd2981693d35fa42758ad1a85ff6d341 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Mon, 13 Dec 2021 22:30:16 -0800 Subject: [PATCH] SECURITY: Require 'read' right for most actions As a security hardening measure to limit exposure on private wikis from actions on $wgWhitelistRead pages, require an explicit 'read' right on actions by default. Currently only ViewAction disables this check since it does its own permissions checking. This is somewhat duplicative of the permissions check in MediaWiki::performRequest() but we'll call it defense in depth. It also matches similar logic in the Action and REST APIs. Bug: T34716 Bug: T297416 Change-Id: Ib2a6c08dc50c69c3ed6e5708ab72441a90fcd3e1 --- includes/MediaWiki.php | 5 +++++ includes/actions/Action.php | 10 ++++++++++ includes/actions/ViewAction.php | 6 ++++++ 3 files changed, 21 insertions(+) diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php index b72e842a63..d6477ec495 100644 --- a/includes/MediaWiki.php +++ b/includes/MediaWiki.php @@ -507,6 +507,11 @@ class MediaWiki { $action = Action::factory( $act, $article, $this->context ); if ( $action instanceof Action ) { + // Check read permissions + if ( $action->needsReadRights() && !$user->isAllowed( 'read' ) ) { + throw new PermissionsError( 'read' ); + } + // Narrow DB query expectations for this HTTP request $trxLimits = $this->config->get( 'TrxProfilerLimits' ); $trxProfiler = Profiler::instance()->getTransactionProfiler(); diff --git a/includes/actions/Action.php b/includes/actions/Action.php index cc429f280b..fb97f11f31 100644 --- a/includes/actions/Action.php +++ b/includes/actions/Action.php @@ -387,6 +387,16 @@ abstract class Action implements MessageLocalizer { return null; } + /** + * Indicates whether this action requires read rights + * @since 1.36.3 + * @stable to override + * @return bool + */ + public function needsReadRights() { + return true; + } + /** * Checks if the given user (identified by an object) can perform this action. Can be * overridden by sub-classes with more complicated permissions schemes. Failures here diff --git a/includes/actions/ViewAction.php b/includes/actions/ViewAction.php index 957e6470d3..f9237c00e0 100644 --- a/includes/actions/ViewAction.php +++ b/includes/actions/ViewAction.php @@ -37,6 +37,12 @@ class ViewAction extends FormlessAction { return null; } + public function needsReadRights() { + // Pages in $wgWhitelistRead can be viewed without having the 'read' + // right. We rely on Article::view() to properly check read access. + return false; + } + public function show() { $config = $this->context->getConfig(); -- 2.33.1