Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F27989891
T212118.patch
LucasWerkmeister (Lucas Werkmeister)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
LucasWerkmeister
Jan 22 2019, 12:04 PM
2019-01-22 12:04:24 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
T212118.patch
View Options
From 3603176e77a486acb4d09ff81e40e9d0345f4253 Mon Sep 17 00:00:00 2001
From: Lucas Werkmeister <mail@lucaswerkmeister.de>
Date: Mon, 17 Dec 2018 14:02:39 +0100
Subject: [PATCH] SECURITY: Fix cache mode for (un)patrolled recent changes
query
Restricting the list of recent changes to patrolled, not patrolled,
autopatrolled, not autopatrolled, or unpatrolled recent changes requires
special permissions (as does displaying that status in the properties of
returned entries), but we only set the cache mode to private in the
first two cases.
Bug: T212118
Change-Id: I4c3fe6e47f80ebf97fa37875c704328d08772d26
---
includes/api/ApiQueryRecentChanges.php | 29 +++++++++++++++-----------
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/includes/api/ApiQueryRecentChanges.php b/includes/api/ApiQueryRecentChanges.php
index 7c6b4634e5..fe09ce9a01 100644
--- a/includes/api/ApiQueryRecentChanges.php
+++ b/includes/api/ApiQueryRecentChanges.php
@@ -214,12 +214,7 @@ public function run( $resultPageSet = null ) {
}
// Check permissions
- if ( isset( $show['patrolled'] )
- || isset( $show['!patrolled'] )
- || isset( $show['unpatrolled'] )
- || isset( $show['autopatrolled'] )
- || isset( $show['!autopatrolled'] )
- ) {
+ if ( $this->includesPatrollingFlags( $show ) ) {
if ( !$user->useRCPatrol() && !$user->useNPPatrol() ) {
$this->dieWithError( 'apierror-permissiondenied-patrolflag', 'permissiondenied' );
}
@@ -642,13 +637,23 @@ public function extractRowInfo( $row ) {
return $vals;
}
+ /**
+ * @param array $flagsArray flipped array (string flags are keys)
+ * @return bool
+ */
+ private function includesPatrollingFlags( array $flagsArray ) {
+ return isset( $flagsArray['patrolled'] ) ||
+ isset( $flagsArray['!patrolled'] ) ||
+ isset( $flagsArray['unpatrolled'] ) ||
+ isset( $flagsArray['autopatrolled'] ) ||
+ isset( $flagsArray['!autopatrolled'] );
+ }
+
public function getCacheMode( $params ) {
- if ( isset( $params['show'] ) ) {
- foreach ( $params['show'] as $show ) {
- if ( $show === 'patrolled' || $show === '!patrolled' ) {
- return 'private';
- }
- }
+ if ( isset( $params['show'] ) &&
+ $this->includesPatrollingFlags( array_flip( $params['show'] ) )
+ ) {
+ return 'private';
}
if ( isset( $params['token'] ) ) {
return 'private';
--
2.19.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
7004572
Default Alt Text
T212118.patch (2 KB)
Attached To
Mode
T212118: API responses for unpatrolled or (not) autopatrolled recent changes require privileges but may be cached publicly
Attached
Detach File
Event Timeline
Log In to Comment