T270713-master.patch
Reedy (Sam Reed)
Actions

Authored By

	Reedy
	Jan 4 2021, 6:07 PM

Size

1 KB

Referenced Files

None

Subscribers

None

T270713-master.patch
View Options

	From 0b50e51081c038144843030c86ddee94edfbf46a Mon Sep 17 00:00:00 2001
	From: Reedy <reedy@wikimedia.org>
	Date: Mon, 4 Jan 2021 18:06:09 +0000
	Subject: [PATCH] SECURITY: Allow user to only apply protection they have right
	to do so via action=protect

	'apierror-protect-invalidlevel' potentially wants updating at a later point as the
	message isn't necessarily clear what the error is; the protection may be valid
	but the users right to do so is not.

	Bug: T270713
	Change-Id: I72fe67264baa4123599ec424a7d780192ca54bcc
	---
	includes/api/ApiProtect.php \| 6 +++++-
	1 file changed, 5 insertions(+), 1 deletion(-)

	diff --git a/includes/api/ApiProtect.php b/includes/api/ApiProtect.php
	index 16f7a55a56..50f2521caf 100644
	--- a/includes/api/ApiProtect.php
	+++ b/includes/api/ApiProtect.php
	@@ -67,6 +67,10 @@ class ApiProtect extends ApiBase {
	}

	$restrictionTypes = $titleObj->getRestrictionTypes();
	+ $levels = $this->getPermissionManager()->getNamespaceRestrictionLevels(
	+ $titleObj->getNamespace(),
	+ $user
	+ );

	$protections = [];
	$expiryarray = [];
	@@ -85,7 +89,7 @@ class ApiProtect extends ApiBase {
	if ( !in_array( $p[0], $restrictionTypes ) && $p[0] != 'create' ) {
	$this->dieWithError( [ 'apierror-protect-invalidaction', wfEscapeWikiText( $p[0] ) ] );
	}
	- if ( !in_array( $p[1], $this->getConfig()->get( 'RestrictionLevels' ) ) && $p[1] != 'all' ) {
	+ if ( !in_array( $p[1], $levels ) && $p[1] != 'all' ) {
	$this->dieWithError( [ 'apierror-protect-invalidlevel', wfEscapeWikiText( $p[1] ) ] );
	}

	--
	2.24.3 (Apple Git-128)

Attached To	Mode
T270459: Tracking bug for MediaWiki 1.31.13/1.35.2	Attached	Detach File
T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level	Attached	Detach File