jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/346851 )
Change subject: SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited" ...................................................................... SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited" Bug: T150044 Change-Id: I7f75cab4ceb4a2c320af210fad15956b70c29661 --- M RELEASE-NOTES-1.27 M includes/specials/SpecialWatchlist.php 2 files changed, 4 insertions(+), 0 deletions(-) Approvals: Reedy: Looks good to me, approved jenkins-bot: Verified diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 1a054a5..d6cfebf 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -29,6 +29,8 @@ $wgAdvancedSearchHighlighting is true. * (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs. +* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF + token. == MediaWiki 1.27.1 == diff --git a/includes/specials/SpecialWatchlist.php b/includes/specials/SpecialWatchlist.php index 15691f2..fcc0c91 100644 --- a/includes/specials/SpecialWatchlist.php +++ b/includes/specials/SpecialWatchlist.php @@ -76,6 +76,7 @@ if ( ( $config->get( 'EnotifWatchlist' ) || $config->get( 'ShowUpdatedMarker' ) ) && $request->getVal( 'reset' ) && $request->wasPosted() + && $user->matchEditToken( $request->getVal( 'token' ) ) ) { $user->clearAllNotifications(); $output->redirect( $this->getPageTitle()->getFullURL( $opts->getChangedValues() ) ); @@ -604,6 +605,7 @@ 'action' => $this->getPageTitle()->getLocalURL(), 'id' => 'mw-watchlist-resetbutton' ] ) . "\n" . Xml::submitButton( $this->msg( 'enotif_reset' )->text(), [ 'name' => 'dummy' ] ) . "\n" . + Html::hidden( 'token', $user->getEditToken() ) . "\n" . Html::hidden( 'reset', 'all' ) . "\n"; foreach ( $nondefaults as $key => $value ) { $form .= Html::hidden( $key, $value ) . "\n"; -- To view, visit https://gerrit.wikimedia.org/r/346851 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7f75cab4ceb4a2c320af210fad15956b70c29661 Gerrit-PatchSet: 2 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_27 Gerrit-Owner: Chad <ch...@wikimedia.org> Gerrit-Reviewer: Bartosz DziewoĆski <matma....@gmail.com> Gerrit-Reviewer: Chad <ch...@wikimedia.org> Gerrit-Reviewer: Florianschmidtwelzow <florian.schmidt.stargatewis...@gmail.com> Gerrit-Reviewer: Reedy <re...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits