Checkuser API does not use tokens
Closed, ResolvedPublic

Description

Doesn't leak information, but could be used to have the user perform sensitive write actions unknowingly if I understand correctly.


Version: master
Severity: minor

Details

Reference
bz45019
bzimport set Reference to bz45019.
Krenair created this task.Feb 14 2013, 9:45 PM

Created attachment 11962
Add token requirement to Checkuser API

attachment b45019.patch ignored as obsolete

Created attachment 12745
Add token requirement to Checkuser API

Attached: b45019.patch

Tested and working well so far. I'll deploy this and we'll release it with 1.21.2.

Deployed
18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/CheckUser
18:36 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/CheckUser

This was assigned CVE-2013-4306

Add Comment