dépôts / lhc / web / wiklou.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 48503ee)
SECURITY: Require login to preview user CSS pages
authorChad Horohoe <chadh@wikimedia.org>
Fri, 19 Aug 2016 20:53:52 +0000 (13:53 -0700)
committerChad <chadh@wikimedia.org>
Tue, 23 Aug 2016 03:18:51 +0000 (03:18 +0000)
Anon users have predictable edit tokens, hence someone could
force an anon to execute arbitrary CSS by means of a CSRF.

Bug: T133147
Change-Id: I442b2b46cadb967aaa1f35648eff183fc7eaa475

includes/OutputPage.php patch | blob | history

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index eb3040c..8fb3bc2 100644 (file)
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2852,7 +2852,6 @@ class OutputPage extends ContextSource {
 
        private function isUserJsPreview() {
                return $this->getConfig()->get( 'AllowUserJs' )
-                       && $this->getUser()->isLoggedIn()
                        && $this->getTitle()
                        && $this->getTitle()->isJsSubpage()
                        && $this->userCanPreview();
@@ -3097,6 +3096,11 @@ class OutputPage extends ContextSource {
                }
 
                $user = $this->getUser();
+
+               if ( !$this->getUser()->isLoggedIn() ) {
+                       // Anons have predictable edit tokens
+                       return false;
+               }
                if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
                        return false;
                }
Wiklou, le Wiki du Wiklou