Page MenuHomePhabricator
Create Task
Maniphest T72469

CentralAuth MergeAccount doesn't check edit token
Closed, ResolvedPublic
Actions

Description

Special:MergeAccount puts an edit token in all of the forms, but never checks that they are valid.

Version: master
Severity: normal

Details

Reference
bz70469

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:53 AM
bzimport added a project: MediaWiki-extensions-CentralAuth.
bzimport set Reference to bz70469.
csteipp created this task.Sep 5 2014, 10:03 PM
Legoktm added a comment.Sep 6 2014, 2:01 AM

Created attachment 16390
patch

Attached:

0001-Check-token-in-Special-MergeAccount.patch986 BDownload

csteipp added a comment.Sep 16 2014, 7:20 PM

Working fine in my testing, and fixes the problem. I'll get this deployed.

tstarling added a comment.Sep 24 2014, 3:23 AM

Privately cherry picked from 1.24wmf21 to 1.24wmf22.

csteipp added a comment.Oct 8 2014, 9:01 PM

Created attachment 16723
Patch after file reorg

Attached:

0001-Check-token-in-Special-MergeAccount.patch1022 BDownload

Ragesoss mentioned this in T64308: Attempting to use OAuth for a SUL wiki where you do not have a user account causes 500 Internal Server Error.Nov 26 2014, 9:28 PM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.May 5 2015, 5:51 PM
csteipp added a project: Vuln-CSRF.Aug 20 2015, 9:56 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits