[MediaWiki-commits] [Gerrit] Add token parameter to SF Autoedit API - change (mediawiki...SemanticForms)
Pawanseerwani has uploaded a new change for review.
https://gerrit.wikimedia.org/r/121698
Change subject: Add token parameter to SF Autoedit API
..
Add token parameter to SF Autoedit API
Currently no such token is used which is a security issue. This patch requires
the API to have token parameter which is used to ensure it is an authentic
change.
Bug: 51505
Change-Id: Iee5b12763386da5d4dd9e3c5cfa18262e929ce61
---
M SemanticForms.php
M includes/SF_AutoeditAPI.php
2 files changed, 14 insertions(+), 3 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/SemanticForms
refs/changes/98/121698/1
diff --git a/SemanticForms.php b/SemanticForms.php
index 9414d83..c35d49b 100644
--- a/SemanticForms.php
+++ b/SemanticForms.php
@@ -81,6 +81,10 @@
define( 'SF_SP_PAGE_HAS_DEFAULT_FORM', 4 );
define( 'SF_SP_HAS_FIELD_LABEL_FORMAT', 5 );
+// Constant for incorrect-edit-token
+
+define( 'SF_INCORRECT_EDIT_TOKEN', 6 );
+
/**
* This is a delayed init that makes sure that MediaWiki is set up
* properly before we add our stuff.
diff --git a/includes/SF_AutoeditAPI.php b/includes/SF_AutoeditAPI.php
index 2933a8d..23714a1 100644
--- a/includes/SF_AutoeditAPI.php
+++ b/includes/SF_AutoeditAPI.php
@@ -355,7 +355,7 @@
'wpSummary' => '',
'wpStarttime' => wfTimestampNow(),
'wpEdittime' => '',
- 'wpEditToken' => $wgUser->isLoggedIn()
? $wgUser->editToken() : EDIT_TOKEN_SUFFIX,
+ 'wpEditToken' =>
$this->mOptions['token'],
'action' => 'submit',
),
$this->mOptions
@@ -461,10 +461,17 @@
$resultDetails = false;
# Allow bots to exempt some edits from bot flagging
$bot = $wgUser->isAllowed( 'bot' ) && $editor->bot;
-
- $status = $editor->internalAttemptSave( $resultDetails, $bot );
+ if ( $editor->mTokenOk ) {
+ $status = $editor->internalAttemptSave( $resultDetails,
$bot );
+ }
+ else {
+ $status = new Status() ;
+ $status->setResult( false, SF_INCORRECT_EDIT_TOKEN );
+ }
switch ( $status->value ) {
+ case SF_INCORRECT_EDIT_TOKEN: // A hook function
returned an error
+ throw new MWException( "This appears to be a
cross-site request forgery; canceling save.");
case EditPage::AS_HOOK_ERROR_EXPECTED: // A hook
function returned an error
case EditPage::AS_CONTENT_TOO_BIG: // Content too big
(> $wgMaxArticleSize)
case EditPage::AS_ARTICLE_WAS_DELETED: // article was
deleted while editting and param wpRecreate == false or form was not posted
--
To view, visit https://gerrit.wikimedia.org/r/121698
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iee5b12763386da5d4dd9e3c5cfa18262e929ce61
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/SemanticForms
Gerrit-Branch: master
Gerrit-Owner: Pawanseerwani
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] Add token parameter to SF Autoedit API - change (mediawiki...SemanticForms)
Foxtrott has submitted this change and it was merged.
Change subject: Add token parameter to SF Autoedit API
..
Add token parameter to SF Autoedit API
Currently no such token is used which is a security issue.
This patch requires the API to have token parameter which is used to ensure it
is an authentic change.
Bug: 51505
Change-Id: Iee5b12763386da5d4dd9e3c5cfa18262e929ce61
---
M includes/SF_AutoeditAPI.php
M includes/SF_FormPrinter.php
2 files changed, 8 insertions(+), 2 deletions(-)
Approvals:
Foxtrott: Verified; Looks good to me, approved
diff --git a/includes/SF_AutoeditAPI.php b/includes/SF_AutoeditAPI.php
index ca0a443..9eaf9d2 100644
--- a/includes/SF_AutoeditAPI.php
+++ b/includes/SF_AutoeditAPI.php
@@ -355,7 +355,7 @@
'wpSummary' => '',
'wpStarttime' => wfTimestampNow(),
'wpEdittime' => '',
- 'wpEditToken' => $wgUser->isLoggedIn()
? $wgUser->editToken() : EDIT_TOKEN_SUFFIX,
+ 'wpEditToken' => isset(
$this->mOptions[ 'token' ] ) ? $this->mOptions[ 'token' ] : '',
'action' => 'submit',
),
$this->mOptions
@@ -462,7 +462,12 @@
# Allow bots to exempt some edits from bot flagging
$bot = $wgUser->isAllowed( 'bot' ) && $editor->bot;
- $status = $editor->internalAttemptSave( $resultDetails, $bot );
+ if ( $editor->mTokenOk ) {
+ $status = $editor->internalAttemptSave( $resultDetails,
$bot );
+ }
+ else {
+ throw new MWException( wfMessage(
'session_fail_preview' )->parse() );
+ }
switch ( $status->value ) {
case EditPage::AS_HOOK_ERROR_EXPECTED: // A hook
function returned an error
diff --git a/includes/SF_FormPrinter.php b/includes/SF_FormPrinter.php
index 4f66828..694a2b4 100644
--- a/includes/SF_FormPrinter.php
+++ b/includes/SF_FormPrinter.php
@@ -1757,6 +1757,7 @@
$form_text .= Html::hidden( 'wpStarttime',
wfTimestampNow() );
$article = new Article( $this->mPageTitle, 0 );
$form_text .= Html::hidden( 'wpEdittime',
$article->getTimestamp() );
+ $form_text .= Html::hidden( 'wpEditToken',
$wgUser->editToken() );
}
$form_text .= "\t\n";
--
To view, visit https://gerrit.wikimedia.org/r/121698
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Iee5b12763386da5d4dd9e3c5cfa18262e929ce61
Gerrit-PatchSet: 4
Gerrit-Project: mediawiki/extensions/SemanticForms
Gerrit-Branch: master
Gerrit-Owner: Pawanseerwani
Gerrit-Reviewer: Foxtrott
Gerrit-Reviewer: Pawanseerwani
Gerrit-Reviewer: jenkins-bot <>
___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
