From 43fe3f21d48075ebbabcf0825b1520804ca9175e Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Tue, 11 Feb 2020 17:03:40 -0600
Subject: [PATCH] SECURITY: Better controls for logout interface buttons

* Adds data-mw attribute support within BaseTemplate->getPersonalTools()

* Adds data-mw="interface" for default logout button in
SkinTemplate->buildPersonalUrls()

* Adds the [data-mw="interface"] selector to the '#pt-logout a' click
handler added in 8f033911030d.

Bug: T232932
Change-Id: I8e933badb77c89212603a36470ce655e30c137f0
---
 includes/skins/BaseTemplate.php             | 10 +++++++++-
 includes/skins/SkinTemplate.php             |  1 +
 resources/src/mediawiki.page.ready/ready.js |  2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/includes/skins/BaseTemplate.php b/includes/skins/BaseTemplate.php
index 0e9bc57a07..9436c3b1d8 100644
--- a/includes/skins/BaseTemplate.php
+++ b/includes/skins/BaseTemplate.php
@@ -139,7 +139,15 @@ abstract class BaseTemplate extends QuickTemplate {
 			if ( isset( $plink['active'] ) ) {
 				$ptool['active'] = $plink['active'];
 			}
-			foreach ( [ 'href', 'class', 'text', 'dir', 'data', 'exists' ] as $k ) {
+			foreach ( [
+				'href',
+				'class',
+				'text',
+				'dir',
+				'data',
+				'exists',
+				'data-mw'
+			] as $k ) {
 				if ( isset( $plink[$k] ) ) {
 					$ptool['links'][0][$k] = $plink[$k];
 				}
diff --git a/includes/skins/SkinTemplate.php b/includes/skins/SkinTemplate.php
index 327061c681..cde419777c 100644
--- a/includes/skins/SkinTemplate.php
+++ b/includes/skins/SkinTemplate.php
@@ -675,6 +675,7 @@ class SkinTemplate extends Skin {
 			if ( $request->getSession()->canSetUser() ) {
 				$personal_urls['logout'] = [
 					'text' => $this->msg( 'pt-userlogout' )->text(),
+					'data-mw' => 'interface',
 					'href' => self::makeSpecialUrl( 'Userlogout',
 						// Note: userlogout link must always contain an & character, otherwise we might not be able
 						// to detect a buggy precaching proxy (T19790)
diff --git a/resources/src/mediawiki.page.ready/ready.js b/resources/src/mediawiki.page.ready/ready.js
index 48d605d455..28374ce8a6 100644
--- a/resources/src/mediawiki.page.ready/ready.js
+++ b/resources/src/mediawiki.page.ready/ready.js
@@ -54,7 +54,7 @@ $( function () {
 	} );
 
 	// Turn logout to a POST action
-	$( '#pt-logout a' ).on( 'click', function ( e ) {
+	$( '#pt-logout a[data-mw="interface"]' ).on( 'click', function ( e ) {
 		var api = new mw.Api(),
 			url = this.href;
 		mw.notify(
-- 
2.20.1