T372209.patch
BlankEclair (Claire Elaina)
Actions

Authored By

	BlankEclair
	Aug 11 2024, 11:01 AM

Size

2 KB

Referenced Files

None

Subscribers

None

T372209.patch
View Options

	From 3812c86f8d5c2300ec3ca98df95c4882a5c1ee6d Mon Sep 17 00:00:00 2001
	From: BlankEclair <blankeclair@disroot.org>
	Date: Sun, 11 Aug 2024 20:47:15 +1000
	Subject: [PATCH] SECURITY: Add CSRF protection for DeleteCargoTable and
	SwitchCargoTable

	Bug: T372209
	Change-Id: I87258ecb5ed2868c36ad4bdb57ac7c72982ceb0e
	---
	includes/specials/SpecialDeleteCargoTable.php \| 3 ++-
	includes/specials/SpecialSwitchCargoTable.php \| 5 ++++-
	2 files changed, 6 insertions(+), 2 deletions(-)

	diff --git a/includes/specials/SpecialDeleteCargoTable.php b/includes/specials/SpecialDeleteCargoTable.php
	index 78482f5..2f18fb9 100644
	--- a/includes/specials/SpecialDeleteCargoTable.php
	+++ b/includes/specials/SpecialDeleteCargoTable.php
	@@ -53,6 +53,7 @@ class SpecialDeleteCargoTable extends UnlistedSpecialPage {

	$out = $this->getOutput();
	$req = $this->getRequest();
	+ $csrfTokenSet = $this->getContext()->getCsrfTokenSet();

	$out->enableOOUI();

	@@ -84,7 +85,7 @@ class SpecialDeleteCargoTable extends UnlistedSpecialPage {
	$fieldTables = unserialize( $row['field_tables'] );
	$fieldHelperTables = unserialize( $row['field_helper_tables'] );

	- if ( $this->getRequest()->getCheck( 'delete' ) ) {
	+ if ( $req->wasPosted() && $req->getCheck( 'delete' ) && $csrfTokenSet->matchToken( $req->getText( 'wpEditToken' ) ) ) {
	self::deleteTable( $tableName, $fieldTables, $fieldHelperTables );
	$text = Html::element( 'p', null, $this->msg( 'cargo-deletetable-success', $tableName )->parse() ) . "\n";
	$tablesLink = CargoUtils::makeLink( $this->getLinkRenderer(),
	diff --git a/includes/specials/SpecialSwitchCargoTable.php b/includes/specials/SpecialSwitchCargoTable.php
	index 5eb54ed..3144354 100644
	--- a/includes/specials/SpecialSwitchCargoTable.php
	+++ b/includes/specials/SpecialSwitchCargoTable.php
	@@ -92,6 +92,9 @@ class SpecialSwitchCargoTable extends UnlistedSpecialPage {
	$this->checkPermissions();

	$out = $this->getOutput();
	+ $req = $this->getRequest();
	+ $csrfTokenSet = $this->getContext()->getCsrfTokenSet();
	+
	$tableName = $subpage;
	$out->enableOOUI();

	@@ -121,7 +124,7 @@ class SpecialSwitchCargoTable extends UnlistedSpecialPage {
	$fieldTables = unserialize( $row['field_tables'] );
	$fieldHelperTables = unserialize( $row['field_helper_tables'] );

	- if ( $this->getRequest()->getCheck( 'switch' ) ) {
	+ if ( $req->wasPosted() && $req->getCheck( 'switch' ) && $csrfTokenSet->matchToken( $req->getText( 'wpEditToken' ) ) ) {
	self::switchInTableReplacement( $tableName, $fieldTables, $fieldHelperTables, $this->getUser() );
	$text = Html::element( 'p', null, $this->msg( 'cargo-switchtables-success', $tableName )->parse() ) . "\n";
	$tablesLink = CargoUtils::makeLink( $this->getLinkRenderer(),
	--
	2.45.2

File Metadata

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 18751905
Default Alt Text: T372209.patch (2 KB)

T372209.patchBlankEclair (Claire Elaina)Actions

T372209.patchView Options

File Metadata

Event Timeline

T372209.patch
BlankEclair (Claire Elaina)
Actions

T372209.patch
View Options