Page MenuHomePhabricator
Files F34884240

0001-SECURITY-Require-read-right-for-most-actions-REL1_35.patch
Legoktm (Legoktm)
Actions

Authored By
Legoktm
Dec 15 2021, 1:12 AM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Require-read-right-for-most-actions-REL1_35.patch
View Options

From badfecb41777efcb0792e62866c99b2cb0dad1d1 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Mon, 13 Dec 2021 22:30:16 -0800
Subject: [PATCH] SECURITY: Require 'read' right for most actions
As a security hardening measure to limit exposure on private wikis from
actions on $wgWhitelistRead pages, require an explicit 'read' right on
actions by default. Currently only ViewAction disables this check since
it does its own permissions checking.
This is somewhat duplicative of the permissions check in
MediaWiki::performRequest() but we'll call it defense in depth. It also
matches similar logic in the Action and REST APIs.
Bug: T34716
Bug: T297416
Change-Id: Ib2a6c08dc50c69c3ed6e5708ab72441a90fcd3e1
---
includes/MediaWiki.php | 5 +++++
includes/actions/Action.php | 10 ++++++++++
includes/actions/ViewAction.php | 6 ++++++
3 files changed, 21 insertions(+)
diff --git a/includes/MediaWiki.php b/includes/MediaWiki.php
index da0c231bd2..6158690f2e 100644
--- a/includes/MediaWiki.php
+++ b/includes/MediaWiki.php
@@ -505,6 +505,11 @@ class MediaWiki {
$action = Action::factory( $act, $article, $this->context );
if ( $action instanceof Action ) {
+ // Check read permissions
+ if ( $action->needsReadRights() && !$user->isAllowed( 'read' ) ) {
+ throw new PermissionsError( 'read' );
+ }
+
// Narrow DB query expectations for this HTTP request
$trxLimits = $this->config->get( 'TrxProfilerLimits' );
$trxProfiler = Profiler::instance()->getTransactionProfiler();
diff --git a/includes/actions/Action.php b/includes/actions/Action.php
index bf9838224f..bce11f3023 100644
--- a/includes/actions/Action.php
+++ b/includes/actions/Action.php
@@ -398,6 +398,16 @@ abstract class Action implements MessageLocalizer {
return null;
}
+ /**
+ * Indicates whether this action requires read rights
+ * @since 1.35.5
+ * @stable to override
+ * @return bool
+ */
+ public function needsReadRights() {
+ return true;
+ }
+
/**
* Checks if the given user (identified by an object) can perform this action. Can be
* overridden by sub-classes with more complicated permissions schemes. Failures here
diff --git a/includes/actions/ViewAction.php b/includes/actions/ViewAction.php
index 957e6470d3..f9237c00e0 100644
--- a/includes/actions/ViewAction.php
+++ b/includes/actions/ViewAction.php
@@ -37,6 +37,12 @@ class ViewAction extends FormlessAction {
return null;
}
+ public function needsReadRights() {
+ // Pages in $wgWhitelistRead can be viewed without having the 'read'
+ // right. We rely on Article::view() to properly check read access.
+ return false;
+ }
+
public function show() {
$config = $this->context->getConfig();
--
2.33.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9304239
Default Alt Text
0001-SECURITY-Require-read-right-for-most-actions-REL1_35.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL