Page MenuHomePhabricator
Files F31093

0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch
Legoktm (Legoktm)
Actions

Authored By
Legoktm
Jan 22 2015, 5:51 AM
Size
3 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch
View Options

From 0b165074868fc52e75464893c14c8f4515faccfa Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@gmail.com>
Date: Tue, 13 Jan 2015 12:30:26 -0800
Subject: [PATCH] SECURITY: Add an edit token to Special:CheckUser
Bug: T85858
Change-Id: I8b86ae48058ab85975b48a40008e91027387f5f8
---
i18n/en.json | 1 +
i18n/qqq.json | 1 +
specials/SpecialCheckUser.php | 6 +++++-
3 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/i18n/en.json b/i18n/en.json
index 60119ae..884c852 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -78,6 +78,7 @@
"checkuser-email-action": "sent an email to user \"$1\"",
"checkuser-reset-action": "reset password for user \"$1\"",
"checkuser-toollinks": "<span class=\"plainlinks\">[[http://whois.domaintools.com/$1 RDNS] ·\n[http://www.robtex.com/rbls/$1.html RBLs] ·\n[http://www.dnsstuff.com/tools/tracert.ch?ip=$1 Traceroute] ·\n[http://www.ip2location.com/$1 Geolocate] ·\n[http://toolserver.org/~overlordq/scripts/checktor.fcgi?ip=$1 Tor check] ·\n[http://whois.arin.net/rest/ip/$1 WHOIS]]</span>",
+ "checkuser-token-fail": "Session failure. Please try again.",
"group-checkuser.css": "/* CSS placed here will affect checkuser only */",
"group-checkuser.js": "/* JS placed here will affect checkuser only */",
"apihelp-query+checkuser-description": "Check which IPs are used by a given username or which usernames are used by a given IP.",
diff --git a/i18n/qqq.json b/i18n/qqq.json
index 05ee545..d2a3348 100644
--- a/i18n/qqq.json
+++ b/i18n/qqq.json
@@ -95,6 +95,7 @@
"checkuser-email-action": "Logged text when a user sends an e-mail. Probably preceded by the name of the checkuser.\n\nParameters:\n* $1 - a salted MD5 hash for the user an email was sent to",
"checkuser-reset-action": "Logged text when a user resets a password. Parameters:\n* $1 - the username for which the password was reset. Can be used for GENDER.",
"checkuser-toollinks": "{{notranslate}}\nParameters:\n* $1 - IP address",
+ "checkuser-token-fail": "Error message shown when the CSRF token does not match the current session.",
"group-checkuser.css": "{{doc-group|checkuser|css}}",
"group-checkuser.js": "{{doc-group|checkuser|js}}",
"apihelp-query+checkuser-description": "{{doc-apihelp-description|query+checkuser}}",
diff --git a/specials/SpecialCheckUser.php b/specials/SpecialCheckUser.php
index c5b1ab1..ff457ac 100644
--- a/specials/SpecialCheckUser.php
+++ b/specials/SpecialCheckUser.php
@@ -48,7 +48,9 @@ class CheckUser extends SpecialPage {
# Perform one of the various submit operations...
if ( $request->wasPosted() ) {
- if ( $request->getVal( 'action' ) === 'block' ) {
+ if ( !$this->getUser()->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
+ $this->getOutput()->wrapWikiMsg( '<div class="error">$1</div>', 'checkuser-token-fail' );
+ } elseif ( $request->getVal( 'action' ) === 'block' ) {
$this->doMassUserBlock( $users, $blockreason, $tag, $talkTag );
} elseif ( !$this->checkReason( $reason ) ) {
$this->getOutput()->addWikiMsg( 'checkuser-noreason' );
@@ -168,6 +170,7 @@ class CheckUser extends SpecialPage {
$form .= '</tr>';
$form .= Xml::closeElement( 'table' );
$form .= '</fieldset>';
+ $form .= Html::hidden( 'wpEditToken', $this->getUser()->getEditToken() );
$form .= Xml::closeElement( 'form' );
# Output form
$this->getOutput()->addHTML( $form );
@@ -1077,6 +1080,7 @@ class CheckUser extends SpecialPage {
array( 'id' => 'checkuserblocksubmit', 'name' => 'checkuserblock' ) ) . "</p>\n";
$s .= "</fieldset>\n";
}
+ $s .= Html::hidden( 'wpEditToken', $this->getUser()->getEditToken() );
$s .= '</form>';
}
--
2.1.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
29660
Default Alt Text
0001-SECURITY-Add-an-edit-token-to-Special-CheckUser.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL