Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34778099
T296578.patch
Urbanecm
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Urbanecm
Nov 28 2021, 3:10 PM
2021-11-28 15:10:45 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T296578.patch
View Options
From b218b0988949f14e6b6eeca7bf5babec54e36ee7 Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Sun, 28 Nov 2021 16:06:35 +0100
Subject: [PATCH] SECURITY: Do not let globally blocked users in
This is a quite hacky solution for the job, and it will
fatal in case the user meets all of the following conditions:
a) has the 'edit' right,
b) is not locally/globally blocked,
c) PermissionManager::userCan() returns false
However, throwing is likely better than a permission error, at least
from security's PoV.
Bug: T296578
Change-Id: I121eca1f7c86c17aba510fc5a50de347792f5aab
---
.../Specials/SetEntitySchemaLabelDescriptionAliases.php | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php b/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
index b42b9a8..d43bf79 100644
--- a/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
+++ b/src/MediaWiki/Specials/SetEntitySchemaLabelDescriptionAliases.php
@@ -48,7 +48,8 @@ class SetEntitySchemaLabelDescriptionAliases extends SpecialPage {
public function __construct( $htmlFormProvider = HTMLForm::class ) {
parent::__construct(
- 'SetEntitySchemaLabelDescriptionAliases'
+ 'SetEntitySchemaLabelDescriptionAliases',
+ 'edit'
);
$this->htmlFormProvider = $htmlFormProvider;
@@ -407,11 +408,11 @@ class SetEntitySchemaLabelDescriptionAliases extends SpecialPage {
}
private function checkBlocked( LinkTarget $title ) {
- if ( MediaWikiServices::getInstance()->getPermissionManager()
- ->isBlockedFrom( $this->getUser(), $title )
+ if ( !MediaWikiServices::getInstance()->getPermissionManager()
+ ->userCan( 'edit', $this->getUser(), $title )
) {
// @phan-suppress-next-line PhanTypeMismatchArgumentNullable
- throw new UserBlockedError( $this->getUser()->getBlock() );
+ throw new UserBlockedError( $this->getUser()->getBlock() ?? $this->getUser()->getGlobalBlock() );
}
}
--
2.20.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9260877
Default Alt Text
T296578.patch (1 KB)
Attached To
Mode
T296578: Globally blocked IPs can edit EntitySchema items (CVE-2021-45471)
Attached
Detach File
Event Timeline
Log In to Comment