Jack Phoenix has uploaded a new change for review. https://gerrit.wikimedia.org/r/308324
Change subject: [SECURITY] Version 3.3: add CSRF protection into the API module and the special pages which perform write actions ...................................................................... [SECURITY] Version 3.3: add CSRF protection into the API module and the special pages which perform write actions Also swapped jQuery to $ in the JS file and fixed a bug in Special:LinkEdit where the redirection to Special:LinkSubmit wasn't always working. Change-Id: I39f619f620325911bccd12d60c2a19df50315fd6 --- M ApiLinkFilter.php M LinkFilter.js M SpecialLinkEdit.php M SpecialLinkSubmit.php M extension.json 5 files changed, 53 insertions(+), 36 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/LinkFilter refs/changes/24/308324/1 diff --git a/ApiLinkFilter.php b/ApiLinkFilter.php index 9a8836a..bc05091 100644 --- a/ApiLinkFilter.php +++ b/ApiLinkFilter.php @@ -63,6 +63,14 @@ return true; } + public function needsToken() { + return 'csrf'; + } + + public function isWriteMode() { + return true; + } + /** * @return String: human-readable module description */ diff --git a/LinkFilter.js b/LinkFilter.js index 46eeeb7..54f14fb 100644 --- a/LinkFilter.js +++ b/LinkFilter.js @@ -3,7 +3,6 @@ * * @file * @author Jack Phoenix <j...@countervandalism.net> - * @date 9 August 2015 */ var LinkFilter = { /** @@ -14,28 +13,25 @@ * @param {Number} ID of the link to approve or reject */ linkAction: function( action, link_id ) { - jQuery( 'div.action-buttons-1' ).hide(); + $( 'div.action-buttons-1' ).hide(); - jQuery.post( - mw.util.wikiScript( 'api' ), { - action: 'linkfilter', - id: link_id, - status: action, - format: 'json' - }, - function( data ) { - var msg; - switch ( action ) { - case 1: - msg = mw.msg( 'linkfilter-admin-accept-success' ); - break; - case 2: - msg = mw.msg( 'linkfilter-admin-reject-success' ); - break; - } - jQuery( '#action-buttons-' + link_id ).html( msg ).show( 1000 ); + ( new mw.Api() ).postWithToken( 'edit', { + action: 'linkfilter', + id: link_id, + status: action, + format: 'json' + } ).done( function( data ) { + var msg; + switch ( action ) { + case 1: + msg = mw.msg( 'linkfilter-admin-accept-success' ); + break; + case 2: + msg = mw.msg( 'linkfilter-admin-reject-success' ); + break; } - ); + $( '#action-buttons-' + link_id ).html( msg ).show( 1000 ); + } ); }, /** @@ -91,28 +87,28 @@ } }; -jQuery( document ).ready( function() { +$( document ).ready( function() { // "Accept" links on Special:LinkApprove - jQuery( 'a.action-accept' ).click( function() { - var that = jQuery( this ); + $( 'a.action-accept' ).click( function() { + var that = $( this ); LinkFilter.linkAction( 1, that.data( 'link-id' ) ); } ); // "Reject" links on Special:LinkApprove - jQuery( 'a.action-reject' ).click( function() { - var that = jQuery( this ); + $( 'a.action-reject' ).click( function() { + var that = $( this ); LinkFilter.linkAction( 2, that.data( 'link-id' ) ); } ); // Textarea on Special:LinkEdit/Special:LinkSubmit - jQuery( 'textarea.lr-input' ).bind( 'keyup', function() { + $( 'textarea.lr-input' ).bind( 'keyup', function() { LinkFilter.limitText( document.link.lf_desc, 300 ); } ).bind( 'keydown', function() { LinkFilter.limitText( document.link.lf_desc, 300 ); } ); // Submit button on Special:LinkEdit/Special:LinkSubmit - jQuery( '#link-submit-button' ).click( function() { + $( '#link-submit-button' ).click( function() { LinkFilter.submitLink(); } ); } ); \ No newline at end of file diff --git a/SpecialLinkEdit.php b/SpecialLinkEdit.php index 197d8c8..389a4c7 100644 --- a/SpecialLinkEdit.php +++ b/SpecialLinkEdit.php @@ -40,7 +40,12 @@ $out->addModuleStyles( 'ext.linkFilter.styles' ); $out->addModules( 'ext.linkFilter.scripts' ); - if ( $request->wasPosted() && $_SESSION['alreadysubmitted'] == false ) { + if ( + $request->wasPosted() && + $_SESSION['alreadysubmitted'] == false && + $user->matchEditToken( $request->getVal( 'wpEditToken' ) ) + ) + { $_SESSION['alreadysubmitted'] = true; // Update link @@ -75,7 +80,7 @@ $l = new Link(); $link = $l->getLinkByPageID( $request->getInt( 'id' ) ); - if( is_array( $link ) ) { + if ( is_array( $link ) && !empty( $link ) ) { $url = htmlspecialchars( $link['url'], ENT_QUOTES ); $description = htmlspecialchars( $link['description'], ENT_QUOTES ); } else { @@ -133,8 +138,9 @@ $output .= '</select> <div class="link-submit-button"> <input tabindex="5" class="site-button" type="button" id="link-submit-button" value="' . $this->msg( 'linkfilter-submit-button' )->text() . '" /> - </div> - </form> + </div>' . + Html::hidden( 'wpEditToken', $this->getUser()->getEditToken() ) . + '</form> </div>'; $output .= '<div class="lr-right">' . diff --git a/SpecialLinkSubmit.php b/SpecialLinkSubmit.php index 2e8060f..ab72af0 100644 --- a/SpecialLinkSubmit.php +++ b/SpecialLinkSubmit.php @@ -46,7 +46,12 @@ // If the request was POSTed and we haven't already submitted it, start // processing it - if ( $request->wasPosted() && $_SESSION['alreadysubmitted'] == false ) { + if ( + $request->wasPosted() && + $_SESSION['alreadysubmitted'] == false && + $user->matchEditToken( $request->getVal( 'wpEditToken' ) ) + ) + { $_SESSION['alreadysubmitted'] = true; // No link title? Show an error message in that case. @@ -172,8 +177,9 @@ $output .= '</select> <div class="link-submit-button"> <input tabindex="5" class="site-button" type="button" id="link-submit-button" value="' . $this->msg( 'linkfilter-submit-button' )->text() . '" /> - </div> - </form> + </div>' . + Html::hidden( 'wpEditToken', $this->getUser()->getEditToken() ) . + '</form> </div>'; $output .= '<div class="lr-right">' . diff --git a/extension.json b/extension.json index 10a37ee..6c79e89 100644 --- a/extension.json +++ b/extension.json @@ -1,6 +1,6 @@ { "name": "LinkFilter", - "version": "3.2.2", + "version": "3.3", "author": [ "Aaron Wright", "David Pean", @@ -119,6 +119,7 @@ }, "ext.linkFilter.scripts": { "scripts": "LinkFilter.js", + "dependencies": [ "mediawiki.api" ], "messages": [ "linkfilter-admin-accept-success", "linkfilter-admin-reject-success", "linkfilter-submit-no-title", "linkfilter-submit-no-type", -- To view, visit https://gerrit.wikimedia.org/r/308324 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I39f619f620325911bccd12d60c2a19df50315fd6 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/LinkFilter Gerrit-Branch: master Gerrit-Owner: Jack Phoenix <j...@countervandalism.net> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits