From e34f0eba661f3ea992652cff5a76a262c809e8a1 Mon Sep 17 00:00:00 2001
From: Reedy <reedy@wikimedia.org>
Date: Sun, 2 Apr 2017 20:05:06 +0100
Subject: [PATCH 3/8] SECURITY: SpecialWatchlist: Check CSRF token when using
 "Mark all pages visited"

Bug: T150044
Change-Id: I7f75cab4ceb4a2c320af210fad15956b70c29661
---
 RELEASE-NOTES-1.23                     | 2 ++
 includes/specials/SpecialWatchlist.php | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index a38e95b..a5afc7b 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -12,6 +12,8 @@ This is not a release yet!
   to interwiki links.
 * (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
   $wgAdvancedSearchHighlighting is true.
+* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
+  token.
 
 == MediaWiki 1.23.15 ==
 
diff --git a/includes/specials/SpecialWatchlist.php b/includes/specials/SpecialWatchlist.php
index b20d857..995f514 100644
--- a/includes/specials/SpecialWatchlist.php
+++ b/includes/specials/SpecialWatchlist.php
@@ -69,6 +69,7 @@ class SpecialWatchlist extends ChangesListSpecialPage {
 		if ( ( $wgEnotifWatchlist || $wgShowUpdatedMarker )
 			&& $request->getVal( 'reset' )
 			&& $request->wasPosted()
+			&& $user->matchEditToken( $request->getVal( 'token' ) )
 		) {
 			$user->clearAllNotifications();
 			$output->redirect( $this->getPageTitle()->getFullURL( $opts->getChangedValues() ) );
@@ -496,6 +497,7 @@ class SpecialWatchlist extends ChangesListSpecialPage {
 				'action' => $this->getPageTitle()->getLocalURL(),
 				'id' => 'mw-watchlist-resetbutton' ) ) . "\n" .
 			Xml::submitButton( $this->msg( 'enotif_reset' )->text(), array( 'name' => 'dummy' ) ) . "\n" .
+			Html::hidden( 'token', $user->getEditToken() ) . "\n" .
 			Html::hidden( 'reset', 'all' ) . "\n";
 			foreach ( $nondefaults as $key => $value ) {
 				$form .= Html::hidden( $key, $value ) . "\n";
-- 
2.9.3