Page MenuHomePhabricator
Files F4250657

SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights().patch
Anomie
Actions

Authored By
Anomie
Jul 7 2016, 9:27 PM
Size
1 KB
Referenced Files
None
Subscribers
None

SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights().patch
View Options

From 0a5b1f7412a2e7571eec690cafe0ae9d26808fd6 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Thu, 7 Jul 2016 17:24:50 -0400
Subject: [PATCH] SECURITY: Move 'UserGetRights' call before application of
Session::getAllowedUserRights()
This prevents hook functions from accidentally adding rights that should
be denied based on the session grants.
If some extension really needs to be able to override session grants,
add a new hook where the old call was, with documentation explicitly
warning about the security implications.
Bug: T139670
Change-Id: I6392cf4d7cc9d3ea96554b25bb5f8abb66e9031b
---
includes/user/User.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/includes/user/User.php b/includes/user/User.php
index 4a92f65..19e273b 100644
--- a/includes/user/User.php
+++ b/includes/user/User.php
@@ -3253,6 +3253,7 @@ class User implements IDBAccessObject {
public function getRights() {
if ( is_null( $this->mRights ) ) {
$this->mRights = self::getGroupPermissions( $this->getEffectiveGroups() );
+ Hooks::run( 'UserGetRights', [ $this, &$this->mRights ] );
// Deny any rights denied by the user's session, unless this
// endpoint has no sessions.
@@ -3263,7 +3264,6 @@ class User implements IDBAccessObject {
}
}
- Hooks::run( 'UserGetRights', [ $this, &$this->mRights ] );
// Force reindexation of rights when a hook has unset one of them
$this->mRights = array_values( array_unique( $this->mRights ) );
}
--
2.8.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3852436
Default Alt Text
SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights().patch (1 KB)

Event Timeline

Anomie updated the name for this file from "0001-SECURITY-Move-UserGetRights-call-before-application-.patch" to "SECURITY: Move 'UserGetRights' call before application of Session::getAllowedUserRights().patch".Jul 7 2016, 9:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits