Page MenuHomePhabricator

0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch

Authored By
Legoktm
Jan 13 2015, 8:32 PM
Size
3 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch

From f32d20c6e9f918bef959e50a259668984781513d Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@gmail.com>
Date: Tue, 13 Jan 2015 12:30:26 -0800
Subject: [PATCH] SECURITY: Add an edit token to Special:CheckUser
Bug: T85858
Change-Id: I8b86ae48058ab85975b48a40008e91027387f5f8
---
i18n/en.json | 1 +
i18n/qqq.json | 1 +
specials/SpecialCheckUser.php | 5 ++++-
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/i18n/en.json b/i18n/en.json
index 60119ae..884c852 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -78,6 +78,7 @@
"checkuser-email-action": "sent an email to user \"$1\"",
"checkuser-reset-action": "reset password for user \"$1\"",
"checkuser-toollinks": "<span class=\"plainlinks\">[[http://whois.domaintools.com/$1 RDNS] ·\n[http://www.robtex.com/rbls/$1.html RBLs] ·\n[http://www.dnsstuff.com/tools/tracert.ch?ip=$1 Traceroute] ·\n[http://www.ip2location.com/$1 Geolocate] ·\n[http://toolserver.org/~overlordq/scripts/checktor.fcgi?ip=$1 Tor check] ·\n[http://whois.arin.net/rest/ip/$1 WHOIS]]</span>",
+ "checkuser-token-fail": "Session failure. Please try again.",
"group-checkuser.css": "/* CSS placed here will affect checkuser only */",
"group-checkuser.js": "/* JS placed here will affect checkuser only */",
"apihelp-query+checkuser-description": "Check which IPs are used by a given username or which usernames are used by a given IP.",
diff --git a/i18n/qqq.json b/i18n/qqq.json
index 05ee545..d2a3348 100644
--- a/i18n/qqq.json
+++ b/i18n/qqq.json
@@ -95,6 +95,7 @@
"checkuser-email-action": "Logged text when a user sends an e-mail. Probably preceded by the name of the checkuser.\n\nParameters:\n* $1 - a salted MD5 hash for the user an email was sent to",
"checkuser-reset-action": "Logged text when a user resets a password. Parameters:\n* $1 - the username for which the password was reset. Can be used for GENDER.",
"checkuser-toollinks": "{{notranslate}}\nParameters:\n* $1 - IP address",
+ "checkuser-token-fail": "Error message shown when the CSRF token does not match the current session.",
"group-checkuser.css": "{{doc-group|checkuser|css}}",
"group-checkuser.js": "{{doc-group|checkuser|js}}",
"apihelp-query+checkuser-description": "{{doc-apihelp-description|query+checkuser}}",
diff --git a/specials/SpecialCheckUser.php b/specials/SpecialCheckUser.php
index c5b1ab1..1804f26 100644
--- a/specials/SpecialCheckUser.php
+++ b/specials/SpecialCheckUser.php
@@ -48,7 +48,9 @@ class CheckUser extends SpecialPage {
# Perform one of the various submit operations...
if ( $request->wasPosted() ) {
- if ( $request->getVal( 'action' ) === 'block' ) {
+ if ( !$this->getUser()->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
+ $this->getOutput()->wrapWikiMsg( '<div class="error">$1</div>', 'checkuser-token-fail' );
+ } elseif ( $request->getVal( 'action' ) === 'block' ) {
$this->doMassUserBlock( $users, $blockreason, $tag, $talkTag );
} elseif ( !$this->checkReason( $reason ) ) {
$this->getOutput()->addWikiMsg( 'checkuser-noreason' );
@@ -168,6 +170,7 @@ class CheckUser extends SpecialPage {
$form .= '</tr>';
$form .= Xml::closeElement( 'table' );
$form .= '</fieldset>';
+ $form .= Html::hidden( 'wpEditToken', $this->getUser()->getEditToken() );
$form .= Xml::closeElement( 'form' );
# Output form
$this->getOutput()->addHTML( $form );
--
2.1.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
27278
Default Alt Text
0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch (3 KB)

Event Timeline