Page MenuHomePhabricator
Files F4624363

0001-SECURITY-check-stage-and-user-locked-status-in-ident.patch
Tgr (Gergő Tisza)
Actions

Authored By
Tgr
Oct 19 2016, 2:47 AM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-check-stage-and-user-locked-status-in-ident.patch
View Options

From 28ed841b685f543df412c463887284130c085145 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <gtisza@wikimedia.org>
Date: Wed, 19 Oct 2016 02:43:18 +0000
Subject: [PATCH] SECURITY: check stage and user locked status in /identify
Bug: T148600
Change-Id: I81327a86890d99dfaef1b1a217a68b4404608394
---
frontend/specialpages/SpecialMWOAuth.php | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/frontend/specialpages/SpecialMWOAuth.php b/frontend/specialpages/SpecialMWOAuth.php
index 8b39881..3e0a5c3 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -151,6 +151,8 @@ class SpecialMWOAuth extends \UnlistedSpecialPage {
$oauthRequest = MWOAuthRequest::fromRequest( $request );
// verify_request throws an exception if anything isn't verified
list( $consumer, $token ) = $server->verify_request( $oauthRequest );
+ /** @var MWOAuthConsumer $consumer */
+ /** @var MWOAuthToken $token */
$wiki = wfWikiID();
$dbr = MWOAuthUtils::getCentralDB( DB_SLAVE );
@@ -161,9 +163,12 @@ class SpecialMWOAuth extends \UnlistedSpecialPage {
'mwoauth-invalid-authorization-wrong-wiki',
array( $wiki )
);
+ } elseif ( !$consumer->isUsableBy( $user ) ) {
+ throw new MWOAuthException( 'mwoauth-invalid-authorization-not-approved',
+ $consumer->get( 'name' ) );
}
$localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) );
- if ( !$localUser || !$localUser->isLoggedIn() ) {
+ if ( !$localUser || !$localUser->isLoggedIn() || $localUser->isLocked() ) {
throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' );
}
--
1.9.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4073216
Default Alt Text
0001-SECURITY-check-stage-and-user-locked-status-in-ident.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL