Page MenuHomePhabricator
Files F34884234

0001-SECURITY-Fix-permissions-check-in-action-rollback-CV.patch
Legoktm (Legoktm)
Actions

Authored By
Legoktm
Dec 15 2021, 1:04 AM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Fix-permissions-check-in-action-rollback-CV.patch
View Options

From 17a99b633361daf9cce67f4e0089f417aebe383e Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Sun, 12 Dec 2021 18:38:47 -0800
Subject: [PATCH] SECURITY: Fix permissions check in action=rollback
(CVE-2021-45038)
Because RollbackAction (as of 0a8403271109) overrided
FormAction::show(), it was no longer checking that the user had the
"rollback" userright. This restores that check, so people without the
"rollback" right will not be able to even get to the rollback form.
Then escape the user-supplied "from" parameter so it can't be used to
reveal the contents of other pages through transclusion, e.g.
"{{:Secret}}". wfEscapeWikiText() is also good practice for usernames in
general, as they can contain markup like bullets or single quotes that
affect output.
Bug: T297574
Change-Id: I7424f67f1217482b977f9617f0275c41fb94b60f
---
includes/actions/RollbackAction.php | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/includes/actions/RollbackAction.php b/includes/actions/RollbackAction.php
index 8f05573689..521ed0d3cf 100644
--- a/includes/actions/RollbackAction.php
+++ b/includes/actions/RollbackAction.php
@@ -128,6 +128,8 @@ class RollbackAction extends FormAction {
*/
public function show() {
$this->setHeaders();
+ // This will throw exceptions if there's a problem
+ $this->checkCanExecute( $this->getUser() );
if ( !$this->userOptionsLookup->getOption( $this->getUser(), 'showrollbackconfirmation' ) ||
$this->getRequest()->wasPosted()
@@ -158,7 +160,7 @@ class RollbackAction extends FormAction {
if ( $from !== $userText ) {
throw new ErrorPageError( 'rollbackfailed', 'alreadyrolled', [
$this->getTitle()->getPrefixedText(),
- $from,
+ wfEscapeWikiText( $from ),
$userText
] );
}
--
2.33.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9304236
Default Alt Text
0001-SECURITY-Fix-permissions-check-in-action-rollback-CV.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits