Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F32423162
T205908.patch
DannyS712
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
DannyS712
Nov 2 2020, 12:59 PM
2020-11-02 12:59:22 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
T205908.patch
View Options
From a06be89c8a36788f9be79dd89ee4582bde53cee8 Mon Sep 17 00:00:00 2001
From: DannyS712 <dannys712.enwiki@gmail.com>
Date: Fri, 30 Oct 2020 16:32:08 -0400
Subject: [PATCH] SECURITY: Set a dummy title for Action buttons on Special:Log
If no title is set, the fallback is to use the main page,
as defined by MediaWiki:Mainpage
On wikis where the main page can be translated, MediaWiki:Mainpage
is sometimes set to use Special:MyLanguage to redirect to the
appropriate version. This is interpreted as a special page, and
ACtion::getActionName forces the action to be 'view' if the title
cannot be used as a WikiPage, which includes all pages in NS_SPECIAL.
Set a dummy title to avoid this. The title provided is unused
by the SpecialPageAction class and does not matter.
Bug: T205908
Change-Id: I0f0d2e592df96c9bad9001baede900f716433cfa
---
includes/specials/SpecialLog.php | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/includes/specials/SpecialLog.php b/includes/specials/SpecialLog.php
index b1cd601dc1b..983bd5c1e80 100644
--- a/includes/specials/SpecialLog.php
+++ b/includes/specials/SpecialLog.php
@@ -276,6 +276,18 @@ class SpecialLog extends SpecialPage {
$s .= Html::hidden( 'action', 'historysubmit' ) . "\n";
$s .= Html::hidden( 'type', 'logging' ) . "\n";
+ // If no title is set, the fallback is to use the main page, as defined
+ // by MediaWiki:Mainpage
+ // On wikis where the main page can be translated, MediaWiki:Mainpage
+ // is sometimes set to use Special:MyLanguage to redirect to the
+ // appropriate version. This is interpreted as a special page, and
+ // Action::getActionName forces the action to be 'view' if the title
+ // cannot be used as a WikiPage, which includes all pages in NS_SPECIAL.
+ // Set a dummy title to avoid this. The title provided is unused
+ // by the SpecialPageAction class and does not matter.
+ // See T205908
+ $s .= Html::hidden( 'title', 'Unused' ) . "\n";
+
$buttons = '';
if ( $canRevDelete ) {
$buttons .= Html::element(
--
2.28.0.windows.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8603255
Default Alt Text
T205908.patch (2 KB)
Attached To
Mode
T263803: Tracking bug for MediaWiki 1.31.11/1.35.1
Attached
Detach File
T205908: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477)
Attached
Detach File
Event Timeline
Log In to Comment