From 0a254fdac6e476f8f953d18194af47077dbd823f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= Date: Mon, 7 Nov 2016 20:10:21 +0100 Subject: [PATCH 4/9] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited" Bug: T150044 Change-Id: I7f75cab4ceb4a2c320af210fad15956b70c29661 --- RELEASE-NOTES-1.29 | 2 ++ includes/specials/SpecialWatchlist.php | 2 ++ 2 files changed, 4 insertions(+) diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29 index 93618ae..78b056e 100644 --- a/RELEASE-NOTES-1.29 +++ b/RELEASE-NOTES-1.29 @@ -90,6 +90,8 @@ production. $wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF + token. === Action API changes in 1.29 === * Submitting sensitive authentication request parameters to action=login, diff --git a/includes/specials/SpecialWatchlist.php b/includes/specials/SpecialWatchlist.php index 365736f..c1c9ab0 100644 --- a/includes/specials/SpecialWatchlist.php +++ b/includes/specials/SpecialWatchlist.php @@ -81,6 +81,7 @@ class SpecialWatchlist extends ChangesListSpecialPage { if ( ( $config->get( 'EnotifWatchlist' ) || $config->get( 'ShowUpdatedMarker' ) ) && $request->getVal( 'reset' ) && $request->wasPosted() + && $user->matchEditToken( $request->getVal( 'token' ) ) ) { $user->clearAllNotifications(); $output->redirect( $this->getPageTitle()->getFullURL( $opts->getChangedValues() ) ); @@ -660,6 +661,7 @@ class SpecialWatchlist extends ChangesListSpecialPage { 'id' => 'mw-watchlist-resetbutton' ] ) . "\n" . Xml::submitButton( $this->msg( 'enotif_reset' )->text(), [ 'name' => 'mw-watchlist-reset-submit' ] ) . "\n" . + Html::hidden( 'token', $user->getEditToken() ) . "\n" . Html::hidden( 'reset', 'all' ) . "\n"; foreach ( $nondefaults as $key => $value ) { $form .= Html::hidden( $key, $value ) . "\n"; -- 2.9.3