Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34457802
T282905.patch
abi_ (Abijeet Patro)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
abi_
May 17 2021, 3:09 PM
2021-05-17 15:09:11 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T282905.patch
View Options
diff --git a/api/ApiAggregateGroups.php b/api/ApiAggregateGroups.php
index 7e403d841..42704c6fc 100644
--- a/api/ApiAggregateGroups.php
+++ b/api/ApiAggregateGroups.php
@@ -8,6 +8,8 @@
* @license GPL-2.0-or-later
*/
+use MediaWiki\Logger\LoggerFactory;
+
/**
* API module for managing aggregate message groups
* Only supports aggregate message groups defined inside the wiki.
@@ -89,9 +91,21 @@ class ApiAggregateGroups extends ApiBase {
if ( !isset( $params['aggregategroup'] ) ) {
$this->dieWithError( [ 'apierror-missingparam', 'aggregategroup' ] );
}
- TranslateMetadata::deleteGroup( $params['aggregategroup'] );
- // @todo Logging
+ $aggregateGroupId = $params['aggregategroup'];
+ $group = MessageGroups::getGroup( $aggregateGroupId );
+ if ( !$group || !( $group instanceof AggregateMessageGroup ) ) {
+ $this->dieWithError(
+ 'apierror-translate-invalidaggregategroupname', 'invalidaggregategroupname'
+ );
+ }
+
+ TranslateMetadata::deleteGroup( $params['aggregategroup'] );
+ $logger = LoggerFactory::getInstance( 'Translate' );
+ $logger->info(
+ 'Aggregate group {groupId} has been deleted.',
+ [ 'groupId' => $aggregateGroupId ]
+ );
} elseif ( $action === 'add' ) {
if ( !isset( $params['groupname'] ) ) {
$this->dieWithError( [ 'apierror-missingparam', 'groupname' ] );
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9075433
Default Alt Text
T282905.patch (1 KB)
Attached To
Mode
T282932: Aggregategroups Action API module allows deleting translatable page metadata for any group without trace (CVE-2021-36129)
Attached
Detach File
Event Timeline
Log In to Comment