[MediaWiki-commits] [Gerrit] mediawiki/core[master]: Added warning for improper ending of a token

Wed, 30 Nov 2016 06:44:28 -0800 

jenkins-bot has submitted this change and it was merged.

Change subject: Added warning for improper ending of a token
......................................................................


Added warning for improper ending of a token

Added warning if token ends with Token::SUFFIX by comparing result of substr to 
Token::SUFFIX.
Simplified Token class calls.

Bug: T122280
Change-Id: Id405dcc7b5e4d28995edf334aa6e183efdb749de
---
M includes/api/ApiCheckToken.php
1 file changed, 10 insertions(+), 1 deletion(-)

Approvals:
  Anomie: Looks good to me, approved
  Unicornisaurous: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/includes/api/ApiCheckToken.php b/includes/api/ApiCheckToken.php
index 3d2159c..dd88b5f 100644
--- a/includes/api/ApiCheckToken.php
+++ b/includes/api/ApiCheckToken.php
@@ -22,6 +22,8 @@
  * @file
  */
 
+use MediaWiki\Session\Token;
+
 /**
  * @since 1.25
  * @ingroup API
@@ -39,6 +41,13 @@
                $tokenObj = ApiQueryTokens::getToken(
                        $this->getUser(), $this->getRequest()->getSession(), 
$salts[$params['type']]
                );
+
+               if ( substr( $token, -strlen( urldecode( Token::SUFFIX ) ) ) 
=== urldecode( Token::SUFFIX ) ) {
+                       $this->setWarning(
+                               "Check that symbols such as \"+\" in the token 
are properly percent-encoded in the URL."
+                       );
+               }
+
                if ( $tokenObj->match( $token, $maxage ) ) {
                        $res['result'] = 'valid';
                } elseif ( $maxage !== null && $tokenObj->match( $token ) ) {
@@ -47,7 +56,7 @@
                        $res['result'] = 'invalid';
                }
 
-               $ts = MediaWiki\Session\Token::getTimestamp( $token );
+               $ts = Token::getTimestamp( $token );
                if ( $ts !== null ) {
                        $mwts = new MWTimestamp();
                        $mwts->timestamp->setTimestamp( $ts );

-- 
To view, visit https://gerrit.wikimedia.org/r/323896
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Id405dcc7b5e4d28995edf334aa6e183efdb749de
Gerrit-PatchSet: 7
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Georggi199 <bmp2...@gmail.com>
Gerrit-Reviewer: Aklapper <aklap...@wikimedia.org>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Unicornisaurous <crazy...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to