[MediaWiki-commits] [Gerrit] mediawiki/core[master]: SECURITY: Do not allow users to undelete a page they can't e...

Thu, 06 Apr 2017 14:47:23 -0700 

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/346847 )

Change subject: SECURITY: Do not allow users to undelete a page they can't edit 
or create
......................................................................


SECURITY: Do not allow users to undelete a page they can't edit or create

If the page exists, it only checks edit rights, otherwise it
checks both edit and create rights.

This would only matter on wikis that have a non-default rights
configuration where there are users with undelete rights but a
restriction level enabled that prevents them from creating/editing
pages (or they otherwise aren't allowed to edit/create)

It should be noted that the error messages aren't used in the
normal UI currently, but they could be in the future, and
extensions could potentially be using them (The backend functions
return them, but the UI functions in Special:Undelete ignore
them)

Bug: T108138
Change-Id: I164b80534cf89e0afca264e9de07431484af8508
---
M RELEASE-NOTES-1.29
M includes/Title.php
M includes/api/ApiUndelete.php
M languages/i18n/en.json
M languages/i18n/qqq.json
5 files changed, 23 insertions(+), 3 deletions(-)

Approvals:
  Chad: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index b835eb5..4b7de88 100644
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -103,6 +103,8 @@
   in it's fallback chain when trying to work out where to write the cache.
 * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file 
inclusion
   syntax's link parameter.
+* (T108138) SECURITY: Sysops can undelete pages, although the page is 
protected against
+  it.
 
 === Action API changes in 1.29 ===
 * Submitting sensitive authentication request parameters to action=login,
diff --git a/includes/Title.php b/includes/Title.php
index f1cf81f..0db4094 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -2316,6 +2316,17 @@
                        ) {
                                $errors[] = [ 'delete-toobig', 
$wgLang->formatNum( $wgDeleteRevisionsLimit ) ];
                        }
+               } elseif ( $action === 'undelete' ) {
+                       if ( count( $this->getUserPermissionsErrorsInternal( 
'edit', $user, $rigor, true ) ) ) {
+                               // Undeleting implies editing
+                               $errors[] = [ 'undelete-cantedit' ];
+                       }
+                       if ( !$this->exists()
+                               && count( 
$this->getUserPermissionsErrorsInternal( 'create', $user, $rigor, true ) )
+                       ) {
+                               // Undeleting where nothing currently exists 
implies creating
+                               $errors[] = [ 'undelete-cantcreate' ];
+                       }
                }
                return $errors;
        }
diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php
index 952e008..3aa7b60 100644
--- a/includes/api/ApiUndelete.php
+++ b/includes/api/ApiUndelete.php
@@ -33,7 +33,6 @@
                $this->useTransactionalTimeLimit();
 
                $params = $this->extractRequestParams();
-               $this->checkUserRightsAny( 'undelete' );
 
                $user = $this->getUser();
                if ( $user->isBlocked() ) {
@@ -45,6 +44,10 @@
                        $this->dieWithError( [ 'apierror-invalidtitle', 
wfEscapeWikiText( $params['title'] ) ] );
                }
 
+               if ( !$titleObj->userCan( 'undelete', $user, 'secure' ) ) {
+                       $this->dieWithError( 'permdenied-undelete' );
+               }
+
                // Check if user can add tags
                if ( !is_null( $params['tags'] ) ) {
                        $ableToTag = ChangeTags::canAddTagsAccompanyingChange( 
$params['tags'], $user );
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index a44ff92..d4196b0 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -4291,5 +4291,7 @@
        "rawhtml-notallowed": "<html> tags cannot be used outside of 
normal pages.",
        "gotointerwiki": "Leaving {{SITENAME}}",
        "gotointerwiki-invalid": "The specified title was invalid.",
-       "gotointerwiki-external": "You are about to leave {{SITENAME}} to visit 
[[$2]] which is a separate website.\n\n[$1 Click here to continue on to $1]."
+       "gotointerwiki-external": "You are about to leave {{SITENAME}} to visit 
[[$2]] which is a separate website.\n\n[$1 Click here to continue on to $1].",
+       "undelete-cantedit": "You cannot undelete this page as you are not 
allowed to edit this page.",
+       "undelete-cantcreate": "You cannot undelete this page as there is no 
existing page with this name and you are not allowed to create this page."
 }
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index 5adfecd..fc1994b 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -4478,5 +4478,7 @@
        "rawhtml-notallowed": "Error message given when $wgRawHtml = true; is 
set and a user uses an <html> tag in a system message or somewhere other 
than a normal page.",
        "gotointerwiki": 
"{{doc-special|GoToInterwiki}}\n\nSpecial:GoToInterwiki is a warning page 
displayed before redirecting users to external interwiki links. Its triggered 
by people going to something like [[Special:Search/google:foo]].",
        "gotointerwiki-invalid": "Message shown on Special:GoToInterwiki if 
given an invalid title.",
-       "gotointerwiki-external": "Message shown on Special:GoToInterwiki if 
given a external interwiki link (e.g. [[Special:GoToInterwiki/Google:Foo]]). $1 
is the full url the user is trying to get to. $2 is the text of the interwiki 
link (e.g. \"Google:foo\")."
+       "gotointerwiki-external": "Message shown on Special:GoToInterwiki if 
given a external interwiki link (e.g. [[Special:GoToInterwiki/Google:Foo]]). $1 
is the full url the user is trying to get to. $2 is the text of the interwiki 
link (e.g. \"Google:foo\").",
+       "undelete-cantedit": "Shown if the user tries to undelete a page that 
they cannot edit",
+       "undelete-cantcreate": "Shown if the user tries to undelete a page 
which currently does not exist, and they are not allowed to create it. This 
could for example happen on a wiki with custom protection levels where the page 
name has been create-protected and the user has the right to undelete but not 
the right to edit protected pages."
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/346847
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I164b80534cf89e0afca264e9de07431484af8508
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Siebrand <siebr...@kitano.nl>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to