Daniel Kinzler has submitted this change and it was merged. Change subject: (sec audit) Fix permission and token checks in API ......................................................................
(sec audit) Fix permission and token checks in API This fixes security issues in several API modules. It does the following things in each module: * make isWriteMode, needsToken, and mustBePosted return true, to avoid CSRF and unauthorized modification. * make sure that the token check is always performed, even if no token was provided. Change-Id: Ica1d33606ba23b0e01ca16cef699946f67a72d03 --- M repo/includes/api/ApiCreateClaim.php M repo/includes/api/ApiLinkTitles.php M repo/includes/api/ApiModifyEntity.php M repo/includes/api/ApiSetClaimValue.php M repo/includes/api/ApiSetReference.php M repo/includes/api/RemoveReferences.php M repo/includes/api/SetStatementRank.php 7 files changed, 101 insertions(+), 7 deletions(-) Approvals: Daniel Kinzler: Verified; Looks good to me, approved -- To view, visit https://gerrit.wikimedia.org/r/36504 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ica1d33606ba23b0e01ca16cef699946f67a72d03 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/Wikibase Gerrit-Branch: mw1.21-wmf5 Gerrit-Owner: Daniel Kinzler <[email protected]> Gerrit-Reviewer: Daniel Kinzler <[email protected]> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
