SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

Bug: T150044
Change-Id: I7f75cab4ceb4a2c320af210fad15956b70c29661

diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index 94bdcf7..eece3de 100644 (file)
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -92,6 +92,8 @@ production.
   $wgAdvancedSearchHighlighting is true.
 * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
   their values out of the logs.
+* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
+  token.
 
 === Action API changes in 1.29 ===
 * Submitting sensitive authentication request parameters to action=login,

diff --git a/includes/specials/SpecialWatchlist.php b/includes/specials/SpecialWatchlist.php
index 365736f..c1c9ab0 100644 (file)
--- a/includes/specials/SpecialWatchlist.php
+++ b/includes/specials/SpecialWatchlist.php
@@ -81,6 +81,7 @@ class SpecialWatchlist extends ChangesListSpecialPage {
                if ( ( $config->get( 'EnotifWatchlist' ) || $config->get( 'ShowUpdatedMarker' ) )
                        && $request->getVal( 'reset' )
                        && $request->wasPosted()
+                       && $user->matchEditToken( $request->getVal( 'token' ) )
                ) {
                        $user->clearAllNotifications();
                        $output->redirect( $this->getPageTitle()->getFullURL( $opts->getChangedValues() ) );
@@ -660,6 +661,7 @@ class SpecialWatchlist extends ChangesListSpecialPage {
                                'id' => 'mw-watchlist-resetbutton' ] ) . "\n" .
                        Xml::submitButton( $this->msg( 'enotif_reset' )->text(),
                                [ 'name' => 'mw-watchlist-reset-submit' ] ) . "\n" .
+                       Html::hidden( 'token', $user->getEditToken() ) . "\n" .
                        Html::hidden( 'reset', 'all' ) . "\n";
                        foreach ( $nondefaults as $key => $value ) {
                                $form .= Html::hidden( $key, $value ) . "\n";