From: Lucas Werkmeister <mail@lucaswerkmeister.de>
Date: Mon, 17 Dec 2018 13:02:39 +0000 (+0100)
Subject: SECURITY: Fix cache mode for (un)patrolled recent changes query
X-Git-Tag: 1.31.2~5
X-Git-Url: http://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=commitdiff_plain;h=ea0f1b5f004a9dc1cdf5568259c337d45f15ce9b

SECURITY: Fix cache mode for (un)patrolled recent changes query

Restricting the list of recent changes to patrolled, not patrolled,
autopatrolled, not autopatrolled, or unpatrolled recent changes requires
special permissions (as does displaying that status in the properties of
returned entries), but we only set the cache mode to private in the
first two cases.

Bug: T212118
Change-Id: I4c3fe6e47f80ebf97fa37875c704328d08772d26
---

diff --git a/includes/api/ApiQueryRecentChanges.php b/includes/api/ApiQueryRecentChanges.php
index 326debc0e0..864b182891 100644
--- a/includes/api/ApiQueryRecentChanges.php
+++ b/includes/api/ApiQueryRecentChanges.php
@@ -200,12 +200,7 @@ class ApiQueryRecentChanges extends ApiQueryGeneratorBase {
 			}
 
 			// Check permissions
-			if ( isset( $show['patrolled'] )
-				|| isset( $show['!patrolled'] )
-				|| isset( $show['unpatrolled'] )
-				|| isset( $show['autopatrolled'] )
-				|| isset( $show['!autopatrolled'] )
-			) {
+			if ( $this->includesPatrollingFlags( $show ) ) {
 				if ( !$user->useRCPatrol() && !$user->useNPPatrol() ) {
 					$this->dieWithError( 'apierror-permissiondenied-patrolflag', 'permissiondenied' );
 				}
@@ -620,13 +615,23 @@ class ApiQueryRecentChanges extends ApiQueryGeneratorBase {
 		return $vals;
 	}
 
+	/**
+	 * @param array $flagsArray flipped array (string flags are keys)
+	 * @return bool
+	 */
+	private function includesPatrollingFlags( array $flagsArray ) {
+		return isset( $flagsArray['patrolled'] ) ||
+			isset( $flagsArray['!patrolled'] ) ||
+			isset( $flagsArray['unpatrolled'] ) ||
+			isset( $flagsArray['autopatrolled'] ) ||
+			isset( $flagsArray['!autopatrolled'] );
+	}
+
 	public function getCacheMode( $params ) {
-		if ( isset( $params['show'] ) ) {
-			foreach ( $params['show'] as $show ) {
-				if ( $show === 'patrolled' || $show === '!patrolled' ) {
-					return 'private';
-				}
-			}
+		if ( isset( $params['show'] ) &&
+			$this->includesPatrollingFlags( array_flip( $params['show'] ) )
+		) {
+			return 'private';
 		}
 		if ( isset( $params['token'] ) ) {
 			return 'private';