Page MenuHomePhabricator
Files F4160131

0001-SECURITY-Check-read-permission-when-loading-page-con.patch
No One
Actions

Authored By
Bawolff
Jun 13 2016, 8:13 AM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Check-read-permission-when-loading-page-con.patch
View Options

From 6f115d9f3fe3ae109e535fe5957bf2145edcd290 Mon Sep 17 00:00:00 2001
From: Daniel Kinzler <daniel.kinzler@wikimedia.de>
Date: Mon, 13 Jun 2016 04:01:43 -0400
Subject: [PATCH] SECURITY: Check read permission when loading page content in
ApiParse.
Modified from Daniel's original patch to also check if the user
can read the pre-redirect page name.
Issue originally reported by Tobias
Bug: T115333
Change-Id: I19f5c2583393794cff802a70af7ccf43c2fed85c
---
includes/api/ApiParse.php | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/includes/api/ApiParse.php b/includes/api/ApiParse.php
index fe418e3..fe276f8 100644
--- a/includes/api/ApiParse.php
+++ b/includes/api/ApiParse.php
@@ -36,6 +36,12 @@ class ApiParse extends ApiBase {
/** @var Content $pstContent */
private $pstContent = null;
+ private function checkReadPermissions( Title $title ) {
+ if ( !$title->userCan( 'read', $this->getUser() ) ) {
+ $this->dieUsage( "You don't have permission to view this page", 'permissiondenied' );
+ }
+ }
+
public function execute() {
// The data is hot but user-dependent, like page views, so we set vary cookies
$this->getMain()->setCacheMode( 'anon-public-user-private' );
@@ -102,6 +108,8 @@ class ApiParse extends ApiBase {
if ( !$rev ) {
$this->dieUsage( "There is no revision ID $oldid", 'missingrev' );
}
+
+ $this->checkReadPermissions( $rev->getTitle() );
if ( !$rev->userCan( Revision::DELETED_TEXT, $this->getUser() ) ) {
$this->dieUsage( "You don't have permission to view deleted revisions", 'permissiondenied' );
}
@@ -134,11 +142,17 @@ class ApiParse extends ApiBase {
$reqParams = [
'redirects' => '',
];
+ $pageParams = [];
if ( !is_null( $pageid ) ) {
$reqParams['pageids'] = $pageid;
+ $pageParams['pageid'] = $pageid;
} else { // $page
$reqParams['titles'] = $page;
+ $pageParams['title'] = $page;
}
+ $this->checkReadPermissions(
+ $this->getTitleOrPageId( $pageParams )->getTitle()
+ );
$req = new FauxRequest( $reqParams );
$main = new ApiMain( $req );
$pageSet = new ApiPageSet( $main );
@@ -161,6 +175,8 @@ class ApiParse extends ApiBase {
if ( !$titleObj || !$titleObj->exists() ) {
$this->dieUsage( "The page you specified doesn't exist", 'missingtitle' );
}
+
+ $this->checkReadPermissions( $titleObj );
$wgTitle = $titleObj;
if ( isset( $prop['revid'] ) ) {
--
2.0.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3794701
Default Alt Text
0001-SECURITY-Check-read-permission-when-loading-page-con.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL