Jack Phoenix has uploaded a new change for review.
https://gerrit.wikimedia.org/r/308324
Change subject: [SECURITY] Version 3.3: add CSRF protection into the API module
and the special pages which perform write actions
......................................................................
[SECURITY] Version 3.3: add CSRF protection into the API module and the special
pages which perform write actions
Also swapped jQuery to $ in the JS file and fixed a bug in
Special:LinkEdit where the redirection to Special:LinkSubmit wasn't always
working.
Change-Id: I39f619f620325911bccd12d60c2a19df50315fd6
---
M ApiLinkFilter.php
M LinkFilter.js
M SpecialLinkEdit.php
M SpecialLinkSubmit.php
M extension.json
5 files changed, 53 insertions(+), 36 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/LinkFilter
refs/changes/24/308324/1
diff --git a/ApiLinkFilter.php b/ApiLinkFilter.php
index 9a8836a..bc05091 100644
--- a/ApiLinkFilter.php
+++ b/ApiLinkFilter.php
@@ -63,6 +63,14 @@
return true;
}
+ public function needsToken() {
+ return 'csrf';
+ }
+
+ public function isWriteMode() {
+ return true;
+ }
+
/**
* @return String: human-readable module description
*/
diff --git a/LinkFilter.js b/LinkFilter.js
index 46eeeb7..54f14fb 100644
--- a/LinkFilter.js
+++ b/LinkFilter.js
@@ -3,7 +3,6 @@
*
* @file
* @author Jack Phoenix <j...@countervandalism.net>
- * @date 9 August 2015
*/
var LinkFilter = {
/**
@@ -14,28 +13,25 @@
* @param {Number} ID of the link to approve or reject
*/
linkAction: function( action, link_id ) {
- jQuery( 'div.action-buttons-1' ).hide();
+ $( 'div.action-buttons-1' ).hide();
- jQuery.post(
- mw.util.wikiScript( 'api' ), {
- action: 'linkfilter',
- id: link_id,
- status: action,
- format: 'json'
- },
- function( data ) {
- var msg;
- switch ( action ) {
- case 1:
- msg = mw.msg(
'linkfilter-admin-accept-success' );
- break;
- case 2:
- msg = mw.msg(
'linkfilter-admin-reject-success' );
- break;
- }
- jQuery( '#action-buttons-' + link_id ).html(
msg ).show( 1000 );
+ ( new mw.Api() ).postWithToken( 'edit', {
+ action: 'linkfilter',
+ id: link_id,
+ status: action,
+ format: 'json'
+ } ).done( function( data ) {
+ var msg;
+ switch ( action ) {
+ case 1:
+ msg = mw.msg(
'linkfilter-admin-accept-success' );
+ break;
+ case 2:
+ msg = mw.msg(
'linkfilter-admin-reject-success' );
+ break;
}
- );
+ $( '#action-buttons-' + link_id ).html( msg ).show(
1000 );
+ } );
},
/**
@@ -91,28 +87,28 @@
}
};
-jQuery( document ).ready( function() {
+$( document ).ready( function() {
// "Accept" links on Special:LinkApprove
- jQuery( 'a.action-accept' ).click( function() {
- var that = jQuery( this );
+ $( 'a.action-accept' ).click( function() {
+ var that = $( this );
LinkFilter.linkAction( 1, that.data( 'link-id' ) );
} );
// "Reject" links on Special:LinkApprove
- jQuery( 'a.action-reject' ).click( function() {
- var that = jQuery( this );
+ $( 'a.action-reject' ).click( function() {
+ var that = $( this );
LinkFilter.linkAction( 2, that.data( 'link-id' ) );
} );
// Textarea on Special:LinkEdit/Special:LinkSubmit
- jQuery( 'textarea.lr-input' ).bind( 'keyup', function() {
+ $( 'textarea.lr-input' ).bind( 'keyup', function() {
LinkFilter.limitText( document.link.lf_desc, 300 );
} ).bind( 'keydown', function() {
LinkFilter.limitText( document.link.lf_desc, 300 );
} );
// Submit button on Special:LinkEdit/Special:LinkSubmit
- jQuery( '#link-submit-button' ).click( function() {
+ $( '#link-submit-button' ).click( function() {
LinkFilter.submitLink();
} );
} );
\ No newline at end of file
diff --git a/SpecialLinkEdit.php b/SpecialLinkEdit.php
index 197d8c8..389a4c7 100644
--- a/SpecialLinkEdit.php
+++ b/SpecialLinkEdit.php
@@ -40,7 +40,12 @@
$out->addModuleStyles( 'ext.linkFilter.styles' );
$out->addModules( 'ext.linkFilter.scripts' );
- if ( $request->wasPosted() && $_SESSION['alreadysubmitted'] ==
false ) {
+ if (
+ $request->wasPosted() &&
+ $_SESSION['alreadysubmitted'] == false &&
+ $user->matchEditToken( $request->getVal( 'wpEditToken'
) )
+ )
+ {
$_SESSION['alreadysubmitted'] = true;
// Update link
@@ -75,7 +80,7 @@
$l = new Link();
$link = $l->getLinkByPageID( $request->getInt( 'id' ) );
- if( is_array( $link ) ) {
+ if ( is_array( $link ) && !empty( $link ) ) {
$url = htmlspecialchars( $link['url'], ENT_QUOTES );
$description = htmlspecialchars( $link['description'],
ENT_QUOTES );
} else {
@@ -133,8 +138,9 @@
$output .= '</select>
<div class="link-submit-button">
<input tabindex="5" class="site-button"
type="button" id="link-submit-button" value="' . $this->msg(
'linkfilter-submit-button' )->text() . '" />
- </div>
- </form>
+ </div>' .
+ Html::hidden( 'wpEditToken',
$this->getUser()->getEditToken() ) .
+ '</form>
</div>';
$output .= '<div class="lr-right">' .
diff --git a/SpecialLinkSubmit.php b/SpecialLinkSubmit.php
index 2e8060f..ab72af0 100644
--- a/SpecialLinkSubmit.php
+++ b/SpecialLinkSubmit.php
@@ -46,7 +46,12 @@
// If the request was POSTed and we haven't already submitted
it, start
// processing it
- if ( $request->wasPosted() && $_SESSION['alreadysubmitted'] ==
false ) {
+ if (
+ $request->wasPosted() &&
+ $_SESSION['alreadysubmitted'] == false &&
+ $user->matchEditToken( $request->getVal( 'wpEditToken'
) )
+ )
+ {
$_SESSION['alreadysubmitted'] = true;
// No link title? Show an error message in that case.
@@ -172,8 +177,9 @@
$output .= '</select>
<div class="link-submit-button">
<input tabindex="5" class="site-button"
type="button" id="link-submit-button" value="' . $this->msg(
'linkfilter-submit-button' )->text() . '" />
- </div>
- </form>
+ </div>' .
+ Html::hidden( 'wpEditToken',
$this->getUser()->getEditToken() ) .
+ '</form>
</div>';
$output .= '<div class="lr-right">' .
diff --git a/extension.json b/extension.json
index 10a37ee..6c79e89 100644
--- a/extension.json
+++ b/extension.json
@@ -1,6 +1,6 @@
{
"name": "LinkFilter",
- "version": "3.2.2",
+ "version": "3.3",
"author": [
"Aaron Wright",
"David Pean",
@@ -119,6 +119,7 @@
},
"ext.linkFilter.scripts": {
"scripts": "LinkFilter.js",
+ "dependencies": [ "mediawiki.api" ],
"messages": [
"linkfilter-admin-accept-success",
"linkfilter-admin-reject-success",
"linkfilter-submit-no-title",
"linkfilter-submit-no-type",
--
To view, visit https://gerrit.wikimedia.org/r/308324
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I39f619f620325911bccd12d60c2a19df50315fd6
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/LinkFilter
Gerrit-Branch: master
Gerrit-Owner: Jack Phoenix <j...@countervandalism.net>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
