Page MenuHomePhabricator
Files F4631569

0001-SECURITY-check-stage-and-user-blocked-locked-status-.patch
Tgr (Gergő Tisza)
Actions

Authored By
Tgr
Oct 19 2016, 10:37 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-check-stage-and-user-blocked-locked-status-.patch
View Options

From 6529d523b8ba844a32d8fbd9e346c64fa3966c19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <gtisza@wikimedia.org>
Date: Wed, 19 Oct 2016 02:43:18 +0000
Subject: [PATCH] SECURITY: check stage and user blocked/locked status in
/identify
Bug: T148600
Change-Id: I81327a86890d99dfaef1b1a217a68b4404608394
---
frontend/specialpages/SpecialMWOAuth.php | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/frontend/specialpages/SpecialMWOAuth.php b/frontend/specialpages/SpecialMWOAuth.php
index 8b39881..f6bbf7e 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -42,7 +42,7 @@ class SpecialMWOAuth extends \UnlistedSpecialPage {
}
public function execute( $subpage ) {
- global $wgMWOAuthSecureTokenTransfer, $wgMWOAuthReadOnly;
+ global $wgMWOAuthSecureTokenTransfer, $wgMWOAuthReadOnly, $wgBlockDisablesLogin;
$this->setHeaders();
@@ -151,6 +151,8 @@ class SpecialMWOAuth extends \UnlistedSpecialPage {
$oauthRequest = MWOAuthRequest::fromRequest( $request );
// verify_request throws an exception if anything isn't verified
list( $consumer, $token ) = $server->verify_request( $oauthRequest );
+ /** @var MWOAuthConsumer $consumer */
+ /** @var MWOAuthToken $token */
$wiki = wfWikiID();
$dbr = MWOAuthUtils::getCentralDB( DB_SLAVE );
@@ -161,10 +163,15 @@ class SpecialMWOAuth extends \UnlistedSpecialPage {
'mwoauth-invalid-authorization-wrong-wiki',
array( $wiki )
);
+ } elseif ( !$consumer->isUsableBy( $user ) ) {
+ throw new MWOAuthException( 'mwoauth-invalid-authorization-not-approved',
+ $consumer->get( 'name' ) );
}
$localUser = MWOAuthUtils::getLocalUserFromCentralId( $access->get( 'userId' ) );
if ( !$localUser || !$localUser->isLoggedIn() ) {
throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' );
+ } elseif ( $localUser->isLocked() || $wgBlockDisablesLogin && $localUser->isBlocked() ) {
+ throw new MWOAuthException( 'mwoauth-invalid-authorization-blocked-user' );
}
// We know the identity of the user who granted the authorization
--
1.9.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4078808
Default Alt Text
0001-SECURITY-check-stage-and-user-blocked-locked-status-.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL