diff options
| author | Reedy <reedy@wikimedia.org> | 2012-03-22 22:14:10 +0000 |
|---|---|---|
| committer | Reedy <reedy@wikimedia.org> | 2012-03-22 22:14:10 +0000 |
| commit | 34cd6b23ff2115232dd66ef9b8404c30767a570d (patch) | |
| tree | b6d7a294398244a363a90b5598800ebba03009a8 /includes/specials/SpecialUpload.php | |
| parent | 39db773837c064c558bf489f64247b18d3949a89 (diff) | |
| download | mediawikicore-1.19.0beta2.tar.gz mediawikicore-1.19.0beta2.zip | |
* (bug 34212) ApiBlock/ApiUnblock allow action to take place without a token parameter present1.19.0beta2
* (bug 35317) CSRF in Special:Upload
Revert r56793, which removed the CSRF check for Special:Upload for normal file
uploads. Cross-site posting of file uploads without user interaction has been
possible since at least as early as Chrome 8 (late 2010) and Firefox 6 (mid
2011).
Commonist has used api.php since version 0.4.0 (April 2010), and the API
already requires an edit token, so Commonist 0.4.0+ is not affected by this
change.
* (bug 34907) Fix for CSRF vulnerability due to mw.user.tokens. Patch by Roan
Kattouw and Tim Starling.
* Filter out private modules early in ResourceLoader::makeResponse() and just
pretend they weren't specified. This means these modules cannot be loaded
through load.php . This filtering must not happen in makeModuleResponse(),
because that would break inlining.
* Force inlining of private modules in OutputPage::makeResourceLoaderLink(),
disregarding $wgResourceLoaderInlinePrivateModules
* Remove $wgResourceLoaderInlinePrivateModules
* Remove special treatment of private modules ($private) in
ResourceLoader::makeResponse() and sendResponseHeaders(), because we're not
allowing private modules to be loaded through here any more
* Remove identity checks in ResourceLoaderUserOptionsModule and
ResourceLoaderUserCSSPrefsModule, they didn't make a lot of sense before but
they're certainly useless now.
* Factored out error comment construction in ResourceLoader.php and stripped
comment terminations from exception messages. I didn't find an XSS
vulnerability but it looked scary.
Change-Id: I0a4d7d2cc19ab3af018604037be150bda5187434
Diffstat (limited to 'includes/specials/SpecialUpload.php')
| -rw-r--r-- | includes/specials/SpecialUpload.php | 9 |
1 files changed, 1 insertions, 8 deletions
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php index 3711a6ac15db..d6a76d02bd4b 100644 --- a/includes/specials/SpecialUpload.php +++ b/includes/specials/SpecialUpload.php @@ -111,14 +111,7 @@ class SpecialUpload extends SpecialPage { // If it was posted check for the token (no remote POST'ing with user credentials) $token = $request->getVal( 'wpEditToken' ); - if( $this->mSourceType == 'file' && $token == null ) { - // Skip token check for file uploads as that can't be faked via JS... - // Some client-side tools don't expect to need to send wpEditToken - // with their submissions, as that's new in 1.16. - $this->mTokenOk = true; - } else { - $this->mTokenOk = $this->getUser()->matchEditToken( $token ); - } + $this->mTokenOk = $this->getUser()->matchEditToken( $token ); $this->uploadFormTextTop = ''; $this->uploadFormTextAfterSummary = ''; |