Checkuser API does not use tokens
Closed, ResolvedPublic

Description

Doesn't leak information, but could be used to have the user perform sensitive write actions unknowingly if I understand correctly.


Version: master
Severity: minor

bzimport set Reference to bz45019.
Krenair created this task.Via LegacyFeb 14 2013, 9:45 PM
Krenair added a comment.Via ConduitMar 20 2013, 7:12 PM

Created attachment 11962
Add token requirement to Checkuser API

attachment b45019.patch ignored as obsolete

Krenair added a comment.Via ConduitJul 4 2013, 12:02 AM

Created attachment 12745
Add token requirement to Checkuser API

Attached: b45019.patch

csteipp added a comment.Via ConduitAug 26 2013, 8:16 PM

Tested and working well so far. I'll deploy this and we'll release it with 1.21.2.

csteipp added a comment.Via ConduitAug 28 2013, 6:38 PM

Deployed
18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/CheckUser
18:36 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/CheckUser

csteipp added a comment.Via ConduitSep 5 2013, 5:03 PM

This was assigned CVE-2013-4306

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment