Checkuser API does not use tokens
Closed, ResolvedPublic

Description

Doesn't leak information, but could be used to have the user perform sensitive write actions unknowingly if I understand correctly.


Version: master
Severity: minor

bzimport set Reference to bz45019.
Krenair created this task.Via LegacyFeb 14 2013, 9:45 PM
Krenair added a comment.Via ConduitMar 20 2013, 7:12 PM

Created attachment 11962
Add token requirement to Checkuser API

attachment b45019.patch ignored as obsolete

Krenair added a comment.Via ConduitJul 4 2013, 12:02 AM

Created attachment 12745
Add token requirement to Checkuser API

Attached: b45019.patch

csteipp added a comment.Via ConduitAug 26 2013, 8:16 PM

Tested and working well so far. I'll deploy this and we'll release it with 1.21.2.

csteipp added a comment.Via ConduitAug 28 2013, 6:38 PM

Deployed
18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/CheckUser
18:36 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/CheckUser

csteipp added a comment.Via ConduitSep 5 2013, 5:03 PM

This was assigned CVE-2013-4306

csteipp added a project: Security.Via WebThu, Mar 26, 8:39 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.