Page MenuHomePhabricator
Files F34911565

T140010.patch
Dylsss (Dylan)
Actions

Authored By
Dylsss
Jan 8 2022, 8:05 PM
Size
1 KB
Referenced Files
None
Subscribers
None

T140010.patch
View Options

From 2e5a04850ec844508e7278c3384bc597f38c968a Mon Sep 17 00:00:00 2001
From: dylsss <dylssswp@gmail.com>
Date: Sat, 8 Jan 2022 18:31:48 +0000
Subject: [PATCH] SECURITY: Add additional permission checks to revert action
Add checks for reupload and checks for edit in order to prevent users from reverting cascade protected files or overwriting files without reupload right.
Bug: T140010
Change-Id: Ib24099425e2b29d70225086bc0a123d31ebc28d8
---
includes/actions/RevertAction.php | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/includes/actions/RevertAction.php b/includes/actions/RevertAction.php
index 4ddbf63908..9640f530b9 100644
--- a/includes/actions/RevertAction.php
+++ b/includes/actions/RevertAction.php
@@ -23,6 +23,8 @@
* @author Rob Church <robchur@gmail.com>
*/
+use MediaWiki\MediaWikiServices;
+
/**
* File reversion user interface
* WikiPage must contain getFile method: \WikiFilePage
@@ -73,7 +75,16 @@ class RevertAction extends FormAction {
throw new ErrorPageError( $this->msg( 'nosuchaction' ), $this->msg( 'nosuchactiontext' ) );
}
parent::checkCanExecute( $user );
-
+
+ $permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
+ $errors = $permissionManager->getPermissionErrors( 'reupload', $user, $this->getTitle() );
+ if ( !$errors ){
+ $errors = $permissionManager->getPermissionErrors( 'edit', $user, $this->getTitle() );
+ }
+ if ( $errors ){
+ throw new PermissionsError( 'reupload', $errors );
+ }
+
$oldimage = $this->getRequest()->getText( 'oldimage' );
if ( strlen( $oldimage ) < 16
|| strpos( $oldimage, '/' ) !== false
--
2.33.0.windows.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9321026
Default Alt Text
T140010.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits