diff options
| author | Sam Reed <reedy@users.mediawiki.org> | 2011-11-28 23:18:55 +0000 |
|---|---|---|
| committer | Sam Reed <reedy@users.mediawiki.org> | 2011-11-28 23:18:55 +0000 |
| commit | 7141742914cb1554809676d30911416bd2024cf9 (patch) | |
| tree | 133586100738adbfdc6fc69fda955bcc56a3200e /includes/AjaxDispatcher.php | |
| parent | 4567ba7adf5cebab08b72cae276f42a325601c8d (diff) | |
| download | mediawikicore-7141742914cb1554809676d30911416bd2024cf9.tar.gz mediawikicore-7141742914cb1554809676d30911416bd2024cf9.zip | |
* (bug 32276) Skins were generating output using the internal page title which would allow anonymous users to determine wheter a page exists, potentially leaking private data. In fact, the curid and oldid request parameters would
allow page titles to be enumerated even when they are not guessable.
* (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis.
Notes
Notes:
http://mediawiki.org/wiki/Special:Code/MediaWiki/104505
Diffstat (limited to 'includes/AjaxDispatcher.php')
| -rw-r--r-- | includes/AjaxDispatcher.php | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 17b154d61f2f..5bc9f0674273 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -68,7 +68,7 @@ class AjaxDispatcher { * request. */ function performAction() { - global $wgAjaxExportList, $wgOut; + global $wgAjaxExportList, $wgOut, $wgUser; if ( empty( $this->mode ) ) { return; @@ -84,6 +84,13 @@ class AjaxDispatcher { 'Bad Request', "unknown function " . (string) $this->func_name ); + } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) + && !$wgUser->isAllowed( 'read' ) ) + { + wfHttpError( + 403, + 'Forbidden', + 'You must log in to view pages.' ); } else { wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" ); |