jenkins-bot has submitted this change and it was merged.
Change subject: SECURITY: Check ownership of homewiki when globalizing on login
......................................................................
SECURITY: Check ownership of homewiki when globalizing on login
If the person logging in didn't own the homewiki, they could still
get attached to it. They wouldn't be able to do anything malicious,
since they wouldn't have the correct password, but would be locked
out of their account upon next login.
Bug: 71749
Change-Id: I2928795d405d1a6b7a126fd4dc4f47cb409a5439
---
M includes/CentralAuthPlugin.php
1 file changed, 1 insertion(+), 1 deletion(-)
Approvals:
CSteipp: Looks good to me, approved
jenkins-bot: Verified
diff --git a/includes/CentralAuthPlugin.php b/includes/CentralAuthPlugin.php
index cb54090..6286ba4 100644
--- a/includes/CentralAuthPlugin.php
+++ b/includes/CentralAuthPlugin.php
@@ -77,7 +77,7 @@
// See if all the unattached accounts match passwords
// and can be globalized. (bug 70392)
if ( $wgCentralAuthAutoMigrate ) {
- $ok = $central->storeAndMigrate( array(
$password ), /* $sendToRC = */ true, /* $safe = */ true );
+ $ok = $central->storeAndMigrate( array(
$password ), /* $sendToRC = */ true, /* $safe = */ true, /* $checkHome = */
true );
if ( $ok ) {
wfDebugLog( 'CentralAuth',
"wgCentralAuthAutoMigrate
successful in creating a global account for '$username'" );
--
To view, visit https://gerrit.wikimedia.org/r/165610
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2928795d405d1a6b7a126fd4dc4f47cb409a5439
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/CentralAuth
Gerrit-Branch: master
Gerrit-Owner: CSteipp <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Legoktm <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
