Revision: 51767 Author: dale Date: 2009-06-11 22:41:06 +0000 (Thu, 11 Jun 2009)
Log Message: ----------- added token to upload api & Special:Upload page. * this avoids cross-site credential exposure / DOS vector for upload-by-url support * also avoids cross-site POST image data upload with credentials exposure. (ie no custom HTTPRequest POST request packaging (using Canvas raw-pixel-data) and HTML5 browsers Canvas.toDataURL("image/jpeg") function to upload an image with someone else's cookies from an external site) Modified Paths: -------------- branches/new-upload/phase3/includes/api/ApiUpload.php branches/new-upload/phase3/includes/specials/SpecialUpload.php branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvBaseUploadInterface.js branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvFirefogg.js branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/embedVideo.js branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/vlcEmbed.js branches/new-upload/phase3/js2/mwEmbed/skins/mvpcf/styles.css Modified: branches/new-upload/phase3/includes/api/ApiUpload.php =================================================================== --- branches/new-upload/phase3/includes/api/ApiUpload.php 2009-06-11 22:28:37 UTC (rev 51766) +++ branches/new-upload/phase3/includes/api/ApiUpload.php 2009-06-11 22:41:06 UTC (rev 51767) @@ -41,17 +41,19 @@ public function execute() { global $wgUser; - //do token checks: - /*if(is_null($params['token'])) - $this->dieUsageMsg(array('missingparam', 'token')); - if(!$wgUser->matchEditToken($params['token'])) - $this->dieUsageMsg(array('sessionfailure')); - */ $this->getMain()->isWriteMode(); $this->mParams = $this->extractRequestParams(); $request = $this->getMain()->getRequest(); + //do token checks: + print_r($this->mParams); + if(is_null($this->mParams['token'])) + $this->dieUsageMsg(array('missingparam', 'token')); + if(!$wgUser->matchEditToken($this->mParams['token'])) + $this->dieUsageMsg(array('sessionfailure')); + + // Add the uploaded file to the params array $this->mParams['file'] = $request->getFileName( 'file' ); Modified: branches/new-upload/phase3/includes/specials/SpecialUpload.php =================================================================== --- branches/new-upload/phase3/includes/specials/SpecialUpload.php 2009-06-11 22:28:37 UTC (rev 51766) +++ branches/new-upload/phase3/includes/specials/SpecialUpload.php 2009-06-11 22:41:06 UTC (rev 51767) @@ -33,7 +33,7 @@ # extensions should take care to _append_ to the present value var $uploadFormTextTop; var $uploadFormTextAfterSummary; - + var $mTokenOk = false; /*...@-*/ /** @@ -120,6 +120,18 @@ $wgOut->readOnlyPage(); return; } + //check token if uploading or reUploading + if( !$this->mTokenOk && !$this->mReUpload && ($this->mUpload && ( + 'submit' == $this->mAction || + $this->mUploadClicked + ) + ) + ){ + $this->mainUploadForm ( wfMsg( 'session_fail_preview' ) ); + return ; + } + + if( $this->mReUpload ) { // User choose to cancel upload if( !$this->mUpload->unsaveUploadedFile() ) { @@ -539,10 +551,14 @@ } else { $copyright = ''; } + //add the wpEditToken + $token = htmlspecialchars( $wgUser->editToken() ); + $tokenInput = "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n"; $wgOut->addHTML( Xml::openElement( 'form', array( 'method' => 'post', 'action' => $titleObj->getLocalURL( 'action=submit' ), 'enctype' => 'multipart/form-data', 'id' => 'uploadwarning' ) ) . "\n" . + $tokenInput . Xml::hidden( 'wpIgnoreWarning', '1' ) . "\n" . Xml::hidden( 'wpSourceType', 'stash' ) . "\n" . Xml::hidden( 'wpSessionKey', $this->mSessionKey ) . "\n" . @@ -733,9 +749,6 @@ "<input tabindex='1' type='file' name='wpUploadFile' id='wpUploadFile' size='60' />" . "<input type='hidden' name='wpSourceType' value='upload' />" ; } - //add the wpEditToken - $token = htmlspecialchars( $wgUser->editToken() ); - $wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" ); if ( $useAjaxDestCheck ) { $warningRow = "<tr><td colspan='2' id='wpDestFile-warning'> </td></tr>"; @@ -749,9 +762,14 @@ $encComment = htmlspecialchars( $this->mComment ); + //add the wpEditToken + $token = htmlspecialchars( $wgUser->editToken() ); + $tokenInput = "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n"; + $wgOut->addHTML( Xml::openElement( 'form', array( 'method' => 'post', 'action' => $titleObj->getLocalURL(), 'enctype' => 'multipart/form-data', 'id' => 'mw-upload-form' ) ) . + $tokenInput . Xml::openElement( 'fieldset' ) . Xml::element( 'legend', null, wfMsg( 'upload' ) ) . Xml::openElement( 'table', array( 'border' => '0', 'id' => 'mw-upload-table' ) ) . Modified: branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvBaseUploadInterface.js =================================================================== --- branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvBaseUploadInterface.js 2009-06-11 22:28:37 UTC (rev 51766) +++ branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvBaseUploadInterface.js 2009-06-11 22:41:06 UTC (rev 51767) @@ -53,6 +53,8 @@ warnings_sessionkey:null, chunks_supported:false, form_post_override:false, + //the edit token: + etoken:false, init: function( iObj ){ if(!iObj) iObj = {}; @@ -194,6 +196,11 @@ 'comment' : $j('#wpUploadDescription').val(), 'asyncdownload': true } + //check for editToken + _this.etoken = $j("input[name='wpEditToken']").val(); + if(_this.etoken) + req['token'] = _this.etoken; + for(var i in opt){ req[i]= opt[i]; } @@ -208,12 +215,17 @@ var _this = this; if( !_this.upload_session_key ) return js_error('missing upload_session_key (can\'t ignore warnigns'); - //do the ignore warnings submit to the api: - do_api_req({ - 'data':{ + //do the ignore warnings submit to the api: + var req = { 'ignorewarnings' : 'true', 'sessionkey' :!_this.upload_session_key - }, + }; + //add token if present: + if(this.etoken) + req['token'] = this.etoken; + + do_api_req({ + 'data':req, 'url': _this.api_url },function(data){ _this.processApiResult(data); @@ -224,15 +236,19 @@ //set up the progress display for status updates: _this.dispProgressOverlay(); - + var req ={ + 'action' : 'upload', + 'httpstatus' : 'true', + 'sessionkey' : _this.upload_session_key + }; + //add token if present: + if(this.etoken) + req['token'] = this.etoken; + var uploadStatus = function(){ //do the api request: do_api_req({ - 'data':{ - 'action' : 'upload', - 'httpstatus' : 'true', - 'sessionkey' : _this.upload_session_key - }, + 'data':req, 'url' : _this.api_url }, function( data ){ //@@check if we are done @@ -331,16 +347,20 @@ }; _this.updateProgressWin( gM('uploaderror'), gM('unknown-error') + '<br>' + error_msg, bObj); }else{ - gMsgLoadRemote(error_code, function(){ - js_log('send msg: ' + gM( error_code )); - var bObj = {}; - bObj[gM('return-to-form')] = function(){ - $(this).dialog('close'); - }; - _this.updateProgressWin( gM('uploaderror'), gM( error_code ),bObj); - }); - js_log("api.erorr"); - return ; + if( apiRes.error.info ){ + _this.updateProgressWin( gM('uploaderror'), apiRes.error.info ,bObj); + }else{ + gMsgLoadRemote(error_code, function(){ + js_log('send msg: ' + gM( error_code )); + var bObj = {}; + bObj[gM('return-to-form')] = function(){ + $(this).dialog('close'); + }; + _this.updateProgressWin( gM('uploaderror'), gM( error_code ),bObj); + }); + js_log("api.erorr"); + return ; + } } } //check for upload_session key for async upload: Modified: branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvFirefogg.js =================================================================== --- branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvFirefogg.js 2009-06-11 22:28:37 UTC (rev 51766) +++ branches/new-upload/phase3/js2/mwEmbed/libAddMedia/mvFirefogg.js 2009-06-11 22:41:06 UTC (rev 51767) @@ -429,6 +429,10 @@ 'comment' : _this.formData['wpUploadDescription'], 'enablechunks': true }; + //check for editToken: + var etoken = _this.formData['wpEditToken']; + if(etoken) + aReq['token'] = etoken; if( _this.formData['wpWatchthis'] ) aReq['watch'] = _this.formData['wpWatchthis']; Modified: branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/embedVideo.js =================================================================== --- branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/embedVideo.js 2009-06-11 22:28:37 UTC (rev 51766) +++ branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/embedVideo.js 2009-06-11 22:41:06 UTC (rev 51767) @@ -477,7 +477,7 @@ } }, 'time_display':{ - 'w':95, + 'w':90, 'o':function(){ return '<div id="mv_time_'+ctrlBuilder.id+'" class="ui-widget time">' + ctrlBuilder.embedObj.getTimeReq() + '</div>'; } Modified: branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/vlcEmbed.js =================================================================== --- branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/vlcEmbed.js 2009-06-11 22:28:37 UTC (rev 51766) +++ branches/new-upload/phase3/js2/mwEmbed/libEmbedVideo/vlcEmbed.js 2009-06-11 22:41:06 UTC (rev 51767) @@ -219,15 +219,16 @@ } }, stop : function(){ - js_log(this.vlc); - if(typeof this.vlc != 'undefined' ){ - if(typeof this.vlc.playlist != 'undefined'){ - //dont' stop (issues all the plugin-stop actions) - //this.vlc.playlist.stop(); - if( this.monitorTimerId != 0 ) - { - clearInterval(this.monitorTimerId); - this.monitorTimerId = 0; + if(this.vlc){ + if(typeof this.vlc != 'undefined' ){ + if(typeof this.vlc.playlist != 'undefined'){ + //dont' stop (issues all the plugin-stop actions) + //this.vlc.playlist.stop(); + if( this.monitorTimerId != 0 ) + { + clearInterval(this.monitorTimerId); + this.monitorTimerId = 0; + } } } } Modified: branches/new-upload/phase3/js2/mwEmbed/skins/mvpcf/styles.css =================================================================== --- branches/new-upload/phase3/js2/mwEmbed/skins/mvpcf/styles.css 2009-06-11 22:28:37 UTC (rev 51766) +++ branches/new-upload/phase3/js2/mwEmbed/skins/mvpcf/styles.css 2009-06-11 22:41:06 UTC (rev 51767) @@ -146,7 +146,7 @@ list-style:none outside none; margin:2px; padding:4px 0; - width: 24px; + width: 23px; height:16px; position:relative; } @@ -194,8 +194,8 @@ line-height: 32px; height: 29px; overflow: visible; - font-size: 10.4px; - width: 95px; + font-size: 10.2px; + width: 80px; float: right; display: inline; border:none; _______________________________________________ MediaWiki-CVS mailing list MediaWiki-CVS@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs