Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F31093230
T238451.patch
Daimona
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Daimona
Nov 16 2019, 1:25 PM
2019-11-16 13:25:57 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
T238451.patch
View Options
From dfc818e8bcafd827f408966a4f0707ab288f907b Mon Sep 17 00:00:00 2001
From: Daimona Eaytoy <daimona.wiki@gmail.com>
Date: Sat, 16 Nov 2019 14:22:46 +0100
Subject: [PATCH] SECURITY: Require view-private or modify for the
evalexpression API
This is consistent with the "anti-DoS" measures on other API modules.
Although this may not be a serious DoS vector, it makes sense to
restrict this module. Moreover, it's also consistent with
Special:AbuseFilter/tools (which is the corresponding web interface),
which requires the same user rights.
Bug: T238451
Change-Id: Id09fd57195d71884674ac0470f137ca30c56e13c
---
i18n/api/en.json | 1 +
i18n/api/qqq.json | 1 +
includes/api/ApiAbuseFilterEvalExpression.php | 5 +++++
3 files changed, 7 insertions(+)
diff --git a/i18n/api/en.json b/i18n/api/en.json
index 15c90fcd..609facb3 100644
--- a/i18n/api/en.json
+++ b/i18n/api/en.json
@@ -57,6 +57,7 @@
"apihelp-abuselogprivatedetails-example-1": "Get private details for the AbuseLog entry with ID 1, using the reason \"example\".",
"apierror-abusefilter-canttest": "You don't have permission to test abuse filters.",
"apierror-abusefilter-cantcheck": "You don't have permission to check syntax of abuse filters.",
+ "apierror-abusefilter-canteval": "You don't have permission to evaluate AbuseFilter expressions.",
"apierror-abusefilter-nosuchlogid": "There is no abuselog entry with the id $1.",
"apierror-abusefilter-badsyntax": "The filter has invalid syntax."
}
diff --git a/i18n/api/qqq.json b/i18n/api/qqq.json
index 9655af67..c8cefc26 100644
--- a/i18n/api/qqq.json
+++ b/i18n/api/qqq.json
@@ -89,6 +89,7 @@
"apihelp-abuselogprivatedetails-example-1": "{{doc-apihelp-example|abuselogprivatedetails}}",
"apierror-abusefilter-canttest": "{{doc-apierror}}",
"apierror-abusefilter-cantcheck": "{{doc-apierror}}",
+ "apierror-abusefilter-canteval": "{{doc-apierror}}",
"apierror-abusefilter-nosuchlogid": "{{doc-apierror}}\n\nParameters:\n* $1 - AbuseFilter log ID number.",
"apierror-abusefilter-badsyntax": "{{doc-apierror}}"
}
diff --git a/includes/api/ApiAbuseFilterEvalExpression.php b/includes/api/ApiAbuseFilterEvalExpression.php
index 18701670..c8c4534a 100644
--- a/includes/api/ApiAbuseFilterEvalExpression.php
+++ b/includes/api/ApiAbuseFilterEvalExpression.php
@@ -5,6 +5,11 @@ class ApiAbuseFilterEvalExpression extends ApiBase {
* @see ApiBase::execute()
*/
public function execute() {
+ // "Anti-DoS"
+ if ( !AbuseFilter::canViewPrivate( $this->getUser() ) ) {
+ $this->dieWithError( 'apierror-abusefilter-canteval', 'permissiondenied' );
+ }
+
$params = $this->extractRequestParams();
$result = AbuseFilter::evaluateExpression( $params['expression'] );
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8212943
Default Alt Text
T238451.patch (2 KB)
Attached To
Mode
T238451: abusefilterchecksyntax and abusefilterevalexpression should require the same permissions
Attached
Detach File
Event Timeline
Log In to Comment