Page MenuHomePhabricator
Files F7153969

0004-SECURITY-SpecialWatchlist-Check-CSRF-token-when-usin.patch
Reedy (Sam Reed)
Actions

Authored By
Reedy
Apr 2 2017, 11:44 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0004-SECURITY-SpecialWatchlist-Check-CSRF-token-when-usin.patch
View Options

From 0a254fdac6e476f8f953d18194af47077dbd823f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Mon, 7 Nov 2016 20:10:21 +0100
Subject: [PATCH 4/9] SECURITY: SpecialWatchlist: Check CSRF token when using
"Mark all pages visited"
Bug: T150044
Change-Id: I7f75cab4ceb4a2c320af210fad15956b70c29661
---
RELEASE-NOTES-1.29 | 2 ++
includes/specials/SpecialWatchlist.php | 2 ++
2 files changed, 4 insertions(+)
diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index 93618ae..78b056e 100644
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -90,6 +90,8 @@ production.
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
+* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
+ token.
=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
diff --git a/includes/specials/SpecialWatchlist.php b/includes/specials/SpecialWatchlist.php
index 365736f..c1c9ab0 100644
--- a/includes/specials/SpecialWatchlist.php
+++ b/includes/specials/SpecialWatchlist.php
@@ -81,6 +81,7 @@ class SpecialWatchlist extends ChangesListSpecialPage {
if ( ( $config->get( 'EnotifWatchlist' ) || $config->get( 'ShowUpdatedMarker' ) )
&& $request->getVal( 'reset' )
&& $request->wasPosted()
+ && $user->matchEditToken( $request->getVal( 'token' ) )
) {
$user->clearAllNotifications();
$output->redirect( $this->getPageTitle()->getFullURL( $opts->getChangedValues() ) );
@@ -660,6 +661,7 @@ class SpecialWatchlist extends ChangesListSpecialPage {
'id' => 'mw-watchlist-resetbutton' ] ) . "\n" .
Xml::submitButton( $this->msg( 'enotif_reset' )->text(),
[ 'name' => 'mw-watchlist-reset-submit' ] ) . "\n" .
+ Html::hidden( 'token', $user->getEditToken() ) . "\n" .
Html::hidden( 'reset', 'all' ) . "\n";
foreach ( $nondefaults as $key => $value ) {
$form .= Html::hidden( $key, $value ) . "\n";
--
2.9.3

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4520771
Default Alt Text
0004-SECURITY-SpecialWatchlist-Check-CSRF-token-when-usin.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL