Revision: 51767
Author: dale
Date: 2009-06-11 22:41:06 +0000 (Thu, 11 Jun 2009)
Log Message:
-----------
added token to upload api & Special:Upload page.
* this avoids cross-site credential exposure / DOS vector for upload-by-url
support
* also avoids cross-site POST image data upload with credentials exposure. (ie
no custom HTTPRequest POST request packaging (using Canvas raw-pixel-data) and
HTML5 browsers Canvas.toDataURL("image/jpeg") function to upload an image with
someone else's cookies from an external site)
Modified Paths:
--------------
branches/new-upload/phase3/includes/api/ApiUpload.php
branches/new-upload/phase3/includes/specials/SpecialUpload.php
branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvBaseUploadInterface.js
branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvFirefogg.js
branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/embedVideo.js
branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/vlcEmbed.js
branches/new-upload/phase3/js2/mwEmbed/skins/mvpcf/styles.css
Modified: branches/new-upload/phase3/includes/api/ApiUpload.php
===================================================================
--- branches/new-upload/phase3/includes/api/ApiUpload.php 2009-06-11
22:28:37 UTC (rev 51766)
+++ branches/new-upload/phase3/includes/api/ApiUpload.php 2009-06-11
22:41:06 UTC (rev 51767)
@@ -41,17 +41,19 @@
public function execute() {
global $wgUser;
- //do token checks:
- /*if(is_null($params['token']))
- $this->dieUsageMsg(array('missingparam', 'token'));
- if(!$wgUser->matchEditToken($params['token']))
- $this->dieUsageMsg(array('sessionfailure'));
- */
$this->getMain()->isWriteMode();
$this->mParams = $this->extractRequestParams();
$request = $this->getMain()->getRequest();
+ //do token checks:
+ print_r($this->mParams);
+ if(is_null($this->mParams['token']))
+ $this->dieUsageMsg(array('missingparam', 'token'));
+ if(!$wgUser->matchEditToken($this->mParams['token']))
+ $this->dieUsageMsg(array('sessionfailure'));
+
+
// Add the uploaded file to the params array
$this->mParams['file'] = $request->getFileName( 'file' );
Modified: branches/new-upload/phase3/includes/specials/SpecialUpload.php
===================================================================
--- branches/new-upload/phase3/includes/specials/SpecialUpload.php
2009-06-11 22:28:37 UTC (rev 51766)
+++ branches/new-upload/phase3/includes/specials/SpecialUpload.php
2009-06-11 22:41:06 UTC (rev 51767)
@@ -33,7 +33,7 @@
# extensions should take care to _append_ to the present value
var $uploadFormTextTop;
var $uploadFormTextAfterSummary;
-
+ var $mTokenOk = false;
/*...@-*/
/**
@@ -120,6 +120,18 @@
$wgOut->readOnlyPage();
return;
}
+ //check token if uploading or reUploading
+ if( !$this->mTokenOk && !$this->mReUpload && ($this->mUpload &&
(
+ 'submit' == $this->mAction ||
+ $this->mUploadClicked
+ )
+ )
+ ){
+ $this->mainUploadForm ( wfMsg( 'session_fail_preview' ) );
+ return ;
+ }
+
+
if( $this->mReUpload ) {
// User choose to cancel upload
if( !$this->mUpload->unsaveUploadedFile() ) {
@@ -539,10 +551,14 @@
} else {
$copyright = '';
}
+ //add the wpEditToken
+ $token = htmlspecialchars( $wgUser->editToken() );
+ $tokenInput = "\n<input type='hidden' value=\"$token\"
name=\"wpEditToken\" />\n";
$wgOut->addHTML(
Xml::openElement( 'form', array( 'method' => 'post',
'action' => $titleObj->getLocalURL( 'action=submit' ),
'enctype' => 'multipart/form-data', 'id' =>
'uploadwarning' ) ) . "\n" .
+ $tokenInput .
Xml::hidden( 'wpIgnoreWarning', '1' ) . "\n" .
Xml::hidden( 'wpSourceType', 'stash' ) . "\n" .
Xml::hidden( 'wpSessionKey', $this->mSessionKey ) .
"\n" .
@@ -733,9 +749,6 @@
"<input tabindex='1' type='file'
name='wpUploadFile' id='wpUploadFile' size='60' />" .
"<input type='hidden' name='wpSourceType'
value='upload' />" ;
}
- //add the wpEditToken
- $token = htmlspecialchars( $wgUser->editToken() );
- $wgOut->addHTML( "\n<input type='hidden' value=\"$token\"
name=\"wpEditToken\" />\n" );
if ( $useAjaxDestCheck ) {
$warningRow = "<tr><td colspan='2'
id='wpDestFile-warning'> </td></tr>";
@@ -749,9 +762,14 @@
$encComment = htmlspecialchars( $this->mComment );
+ //add the wpEditToken
+ $token = htmlspecialchars( $wgUser->editToken() );
+ $tokenInput = "\n<input type='hidden' value=\"$token\"
name=\"wpEditToken\" />\n";
+
$wgOut->addHTML(
Xml::openElement( 'form', array( 'method' => 'post',
'action' => $titleObj->getLocalURL(),
'enctype' => 'multipart/form-data', 'id' =>
'mw-upload-form' ) ) .
+ $tokenInput .
Xml::openElement( 'fieldset' ) .
Xml::element( 'legend', null, wfMsg( 'upload' ) ) .
Xml::openElement( 'table', array( 'border' => '0',
'id' => 'mw-upload-table' ) ) .
Modified:
branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvBaseUploadInterface.js
===================================================================
--- branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvBaseUploadInterface.js
2009-06-11 22:28:37 UTC (rev 51766)
+++ branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvBaseUploadInterface.js
2009-06-11 22:41:06 UTC (rev 51767)
@@ -53,6 +53,8 @@
warnings_sessionkey:null,
chunks_supported:false,
form_post_override:false,
+ //the edit token:
+ etoken:false,
init: function( iObj ){
if(!iObj)
iObj = {};
@@ -194,6 +196,11 @@
'comment' : $j('#wpUploadDescription').val(),
'asyncdownload': true
}
+ //check for editToken
+ _this.etoken = $j("input[name='wpEditToken']").val();
+ if(_this.etoken)
+ req['token'] = _this.etoken;
+
for(var i in opt){
req[i]= opt[i];
}
@@ -208,12 +215,17 @@
var _this = this;
if( !_this.upload_session_key )
return js_error('missing upload_session_key (can\'t
ignore warnigns');
- //do the ignore warnings submit to the api:
- do_api_req({
- 'data':{
+ //do the ignore warnings submit to the api:
+ var req = {
'ignorewarnings' : 'true',
'sessionkey' :!_this.upload_session_key
- },
+ };
+ //add token if present:
+ if(this.etoken)
+ req['token'] = this.etoken;
+
+ do_api_req({
+ 'data':req,
'url': _this.api_url
},function(data){
_this.processApiResult(data);
@@ -224,15 +236,19 @@
//set up the progress display for status updates:
_this.dispProgressOverlay();
-
+ var req ={
+ 'action' : 'upload',
+ 'httpstatus' : 'true',
+ 'sessionkey' : _this.upload_session_key
+ };
+ //add token if present:
+ if(this.etoken)
+ req['token'] = this.etoken;
+
var uploadStatus = function(){
//do the api request:
do_api_req({
- 'data':{
- 'action' : 'upload',
- 'httpstatus' : 'true',
- 'sessionkey' : _this.upload_session_key
- },
+ 'data':req,
'url' : _this.api_url
}, function( data ){
//@@check if we are done
@@ -331,16 +347,20 @@
};
_this.updateProgressWin( gM('uploaderror'),
gM('unknown-error') + '<br>' + error_msg, bObj);
}else{
- gMsgLoadRemote(error_code, function(){
- js_log('send msg: ' + gM( error_code ));
- var bObj = {};
- bObj[gM('return-to-form')] = function(){
- $(this).dialog('close');
- };
- _this.updateProgressWin(
gM('uploaderror'), gM( error_code ),bObj);
- });
- js_log("api.erorr");
- return ;
+ if( apiRes.error.info ){
+ _this.updateProgressWin(
gM('uploaderror'), apiRes.error.info ,bObj);
+ }else{
+ gMsgLoadRemote(error_code, function(){
+ js_log('send msg: ' + gM(
error_code ));
+ var bObj = {};
+ bObj[gM('return-to-form')] =
function(){
+
$(this).dialog('close');
+ };
+ _this.updateProgressWin(
gM('uploaderror'), gM( error_code ),bObj);
+ });
+ js_log("api.erorr");
+ return ;
+ }
}
}
//check for upload_session key for async upload:
Modified: branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvFirefogg.js
===================================================================
--- branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvFirefogg.js
2009-06-11 22:28:37 UTC (rev 51766)
+++ branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvFirefogg.js
2009-06-11 22:41:06 UTC (rev 51767)
@@ -429,6 +429,10 @@
'comment' : _this.formData['wpUploadDescription'],
'enablechunks': true
};
+ //check for editToken:
+ var etoken = _this.formData['wpEditToken'];
+ if(etoken)
+ aReq['token'] = etoken;
if( _this.formData['wpWatchthis'] )
aReq['watch'] = _this.formData['wpWatchthis'];
Modified: branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/embedVideo.js
===================================================================
--- branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/embedVideo.js
2009-06-11 22:28:37 UTC (rev 51766)
+++ branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/embedVideo.js
2009-06-11 22:41:06 UTC (rev 51767)
@@ -477,7 +477,7 @@
}
},
'time_display':{
- 'w':95,
+ 'w':90,
'o':function(){
return '<div id="mv_time_'+ctrlBuilder.id+'"
class="ui-widget time">' + ctrlBuilder.embedObj.getTimeReq() + '</div>';
}
Modified: branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/vlcEmbed.js
===================================================================
--- branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/vlcEmbed.js
2009-06-11 22:28:37 UTC (rev 51766)
+++ branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/vlcEmbed.js
2009-06-11 22:41:06 UTC (rev 51767)
@@ -219,15 +219,16 @@
}
},
stop : function(){
- js_log(this.vlc);
- if(typeof this.vlc != 'undefined' ){
- if(typeof this.vlc.playlist != 'undefined'){
- //dont' stop (issues all the plugin-stop
actions)
- //this.vlc.playlist.stop();
- if( this.monitorTimerId != 0 )
- {
- clearInterval(this.monitorTimerId);
- this.monitorTimerId = 0;
+ if(this.vlc){
+ if(typeof this.vlc != 'undefined' ){
+ if(typeof this.vlc.playlist != 'undefined'){
+ //dont' stop (issues all the
plugin-stop actions)
+ //this.vlc.playlist.stop();
+ if( this.monitorTimerId != 0 )
+ {
+
clearInterval(this.monitorTimerId);
+ this.monitorTimerId = 0;
+ }
}
}
}
Modified: branches/new-upload/phase3/js2/mwEmbed/skins/mvpcf/styles.css
===================================================================
--- branches/new-upload/phase3/js2/mwEmbed/skins/mvpcf/styles.css
2009-06-11 22:28:37 UTC (rev 51766)
+++ branches/new-upload/phase3/js2/mwEmbed/skins/mvpcf/styles.css
2009-06-11 22:41:06 UTC (rev 51767)
@@ -146,7 +146,7 @@
list-style:none outside none;
margin:2px;
padding:4px 0;
- width: 24px;
+ width: 23px;
height:16px;
position:relative;
}
@@ -194,8 +194,8 @@
line-height: 32px;
height: 29px;
overflow: visible;
- font-size: 10.4px;
- width: 95px;
+ font-size: 10.2px;
+ width: 80px;
float: right;
display: inline;
border:none;
_______________________________________________
MediaWiki-CVS mailing list
MediaWiki-CVS@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
