From 756827cae7483b5aae7d45228e89ae4cfc203364 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Fri, 13 Jul 2018 08:07:51 -0700 Subject: [PATCH] SECURITY: API: Respect $wgBlockCIDRLimit in action=block $wgBlockCIDRLimit states how large rangeblocks are allowed to be for IPv4 and IPv6. The API now calls SpecialBlock::validateTarget() to perform that validation step. As a minor thing, SpecialBlock::checkUnblockSelf() is now called twice by the API, but that can probably be cleaned up at another time. Tests included. Bug: T199540 Change-Id: Ic7d60240d9ebd9580c0eb3b41e4befceab69bd81 --- includes/api/ApiBlock.php | 5 +++++ tests/phpunit/includes/api/ApiBlockTest.php | 19 ++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php index c71de40f08..480126760e 100644 --- a/includes/api/ApiBlock.php +++ b/includes/api/ApiBlock.php @@ -129,6 +129,11 @@ class ApiBlock extends ApiBase { 'NamespaceRestrictions' => $namespaceRestrictions, ]; + $status = SpecialBlock::validateTarget( $params['user'], $user ); + if ( !$status->isOK() ) { + $this->dieStatus( $status ); + } + $retval = SpecialBlock::processForm( $data, $this->getContext() ); if ( $retval !== true ) { $this->dieStatus( $this->errorArrayToStatus( $retval ) ); diff --git a/tests/phpunit/includes/api/ApiBlockTest.php b/tests/phpunit/includes/api/ApiBlockTest.php index 060834fef0..e06f828148 100644 --- a/tests/phpunit/includes/api/ApiBlockTest.php +++ b/tests/phpunit/includes/api/ApiBlockTest.php @@ -22,6 +22,10 @@ class ApiBlockTest extends ApiTestCase { ); $this->mUser = $this->getMutableTestUser()->getUser(); + $this->setMwGlobals( 'wgBlockCIDRLimit', [ + 'IPv4' => 16, + 'IPv6' => 19, + ] ); } protected function getTokens() { @@ -41,7 +45,6 @@ class ApiBlockTest extends ApiTestCase { $tokens = $this->getTokens(); $this->assertNotNull( $this->mUser, 'Sanity check' ); - $this->assertNotSame( 0, $this->mUser->getId(), 'Sanity check' ); $this->assertArrayHasKey( 'blocktoken', $tokens, 'Sanity check' ); @@ -332,4 +335,18 @@ class ApiBlockTest extends ApiTestCase { self::$users['sysop']->getUser() ); } + + public function testRangeBlock() { + $this->mUser = User::newFromName( '128.0.0.0/16', false ); + $this->doBlock(); + } + + /** + * @expectedException ApiUsageException + * @expectedExceptionMessage Range blocks larger than /16 are not allowed. + */ + public function testVeryLargeRangeBlock() { + $this->mUser = User::newFromName( '128.0.0.0/1', false ); + $this->doBlock(); + } } -- 2.20.1