0001-SECURITY-Check-edit-token-in-Special-MergeLexemes.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

Authored By

	Lucas_Werkmeister_WMDE
	Mar 4 2024, 10:19 AM

Size

1 KB

Referenced Files

None

Subscribers

None

0001-SECURITY-Check-edit-token-in-Special-MergeLexemes.patch
View Options

	From ebb49abd05950066d94fb52639feafdb94a357d3 Mon Sep 17 00:00:00 2001
	From: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
	Date: Fri, 9 Feb 2024 11:49:22 +0100
	Subject: [PATCH] SECURITY: Check edit token in Special:MergeLexemes
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	Use a TokenCheckInteractor just like in Special:RedirectEntity and
	Special:MergeItems in Wikibase.

	To reduce the risk of merge conflicts, don’t inject the required
	services nor add imports yet; we can clean this up once this change has
	been made public.

	SpecialMergeLexemesTest doesn’t need any changes to keep working as far
	as I can tell locally.

	Bug: T357101
	Change-Id: Idb48cf22e8d5616cc39e05d59076d5d6073e249c
	---
	src/MediaWiki/Specials/SpecialMergeLexemes.php \| 13 +++++++++++++
	1 file changed, 13 insertions(+)

	diff --git a/src/MediaWiki/Specials/SpecialMergeLexemes.php b/src/MediaWiki/Specials/SpecialMergeLexemes.php
	index 99baa94d20..254cb17ec7 100644
	--- a/src/MediaWiki/Specials/SpecialMergeLexemes.php
	+++ b/src/MediaWiki/Specials/SpecialMergeLexemes.php
	@@ -184,6 +184,19 @@ private function anonymousEditWarning(): string {
	}

	private function mergeLexemes( LexemeId $sourceId, LexemeId $targetId ): void {
	+ // TODO inject interactor+localizer once this is public
	+ // phpcs:disable MediaWiki.Classes.FullQualifiedClassName.Found
	+ try {
	+ \Wikibase\Repo\WikibaseRepo::getTokenCheckInteractor()
	+ ->checkRequestToken( $this->getContext(), 'wpEditToken' );
	+ } catch ( \Wikibase\Repo\Interactors\TokenCheckException $e ) {
	+ $message = \Wikibase\Repo\WikibaseRepo::getExceptionLocalizer()
	+ ->getExceptionMessage( $e );
	+ $this->showErrorHTML( $message->parse() );
	+ return;
	+ }
	+ // phpcs:enable
	+
	try {
	$status = $this->mergeInteractor->mergeLexemes(
	$sourceId,
	--
	2.44.0

File Metadata

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 14786325
Default Alt Text: 0001-SECURITY-Check-edit-token-in-Special-MergeLexemes.patch (1 KB)

0001-SECURITY-Check-edit-token-in-Special-MergeLexemes.patchLucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))Actions

0001-SECURITY-Check-edit-token-in-Special-MergeLexemes.patchView Options

File Metadata

Event Timeline

0001-SECURITY-Check-edit-token-in-Special-MergeLexemes.patch
Lucas_Werkmeister_WMDE (Lucas Werkmeister (WMDE))
Actions

0001-SECURITY-Check-edit-token-in-Special-MergeLexemes.patch
View Options