From 20340ff486200cb06d823e80bac97960cb5d169a Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Mon, 13 Dec 2021 22:30:16 -0800 Subject: [PATCH] SECURITY: Require 'read' right for most actions As a security hardening measure to limit exposure on private wikis from actions on $wgWhitelistRead pages, require an explicit 'read' right on actions by default. Currently only ViewAction disables this check since it does its own permissions checking. This is somewhat duplicative of the permissions check in MediaWiki::performRequest() but we'll call it defense in depth. It also matches similar logic in the Action and REST APIs. Bug: T34716 Bug: T297416 Change-Id: Ib2a6c08dc50c69c3ed6e5708ab72441a90fcd3e1 --- includes/MediaWiki.php | 5 +++++ includes/actions/Action.php | 10 ++++++++++ includes/actions/ViewAction.php | 6 ++++++ 3 files changed, 21 insertions(+) diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php index 826e42da19..7fc6ca4848 100644 --- a/includes/MediaWiki.php +++ b/includes/MediaWiki.php @@ -514,6 +514,11 @@ class MediaWiki { $action = Action::factory( $actionName, $article, $this->context ); if ( $action instanceof Action ) { + // Check read permissions + if ( $action->needsReadRights() && !$user->isAllowed( 'read' ) ) { + throw new PermissionsError( 'read' ); + } + // Narrow DB query expectations for this HTTP request $trxLimits = $this->config->get( 'TrxProfilerLimits' ); $trxProfiler = Profiler::instance()->getTransactionProfiler(); diff --git a/includes/actions/Action.php b/includes/actions/Action.php index af13dcfd94..63c3e6feb4 100644 --- a/includes/actions/Action.php +++ b/includes/actions/Action.php @@ -316,6 +316,16 @@ abstract class Action implements MessageLocalizer { return null; } + /** + * Indicates whether this action requires read rights + * @since 1.37.1 + * @stable to override + * @return bool + */ + public function needsReadRights() { + return true; + } + /** * Checks if the given user (identified by an object) can perform this action. Can be * overridden by sub-classes with more complicated permissions schemes. Failures here diff --git a/includes/actions/ViewAction.php b/includes/actions/ViewAction.php index 9ec73b9650..aea7a5da8f 100644 --- a/includes/actions/ViewAction.php +++ b/includes/actions/ViewAction.php @@ -37,6 +37,12 @@ class ViewAction extends FormlessAction { return null; } + public function needsReadRights() { + // Pages in $wgWhitelistRead can be viewed without having the 'read' + // right. We rely on Article::view() to properly check read access. + return false; + } + public function show() { $config = $this->context->getConfig(); -- 2.33.1