Checkuser API does not use tokens
Closed, ResolvedPublic


Doesn't leak information, but could be used to have the user perform sensitive write actions unknowingly if I understand correctly.

Version: master
Severity: minor


bzimport set Reference to bz45019.
Krenair created this task.Feb 14 2013, 9:45 PM

Created attachment 11962
Add token requirement to Checkuser API

attachment b45019.patch ignored as obsolete

Created attachment 12745
Add token requirement to Checkuser API

Attached: b45019.patch

Tested and working well so far. I'll deploy this and we'll release it with 1.21.2.

18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/CheckUser
18:36 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/CheckUser

This was assigned CVE-2013-4306

Restricted Application added subscribers: Malyacko, JEumerus. · View Herald TranscriptMon, May 9, 8:57 AM

Add Comment