Reedy has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/336838 )
Change subject: API: Insist authn parameters be in the POST body
......................................................................
API: Insist authn parameters be in the POST body
Passwords should always be submitted in the POST body, not in the query
string. Thus, a warning will now be returned if the password for
action=login.
Change-Id: Ifb2c684bb28c9acc004be2b0c2fef839eb7624aa
---
M RELEASE-NOTES-1.23
M includes/api/ApiBase.php
M includes/api/ApiLogin.php
3 files changed, 44 insertions(+), 0 deletions(-)
Approvals:
Reedy: Verified; Looks good to me, approved
diff --git a/RELEASE-NOTES-1.23 b/RELEASE-NOTES-1.23
index 1e5ba7e..c30a9e4 100644
--- a/RELEASE-NOTES-1.23
+++ b/RELEASE-NOTES-1.23
@@ -8,6 +8,9 @@
* (T68404) CSS3 attr() function with url type is no longer allowed
in inline styles.
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
+* Submitting the lgtoken and lgpassword parameters in the query string to
+ action=login is now deprecated and outputs a warning. They should be
submitted
+ in the POST body instead.
== MediaWiki 1.23.15 ==
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index cf96ac2..2267e3a 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -845,6 +845,40 @@
}
/**
+ * Die if any of the specified parameters were found in the query part
of
+ * the URL rather than the post body.
+ * @since 1.28
+ * @param string[] $params Parameters to check
+ * @param string $prefix Set to 'noprefix' to skip calling
$this->encodeParamName()
+ */
+ public function requirePostedParameters( $params, $prefix = 'prefix' ) {
+ global $wgDebugAPI;
+ // Skip if $wgDebugAPI is set or we're in internal mode
+ if ( $wgDebugAPI || $this->getMain()->isInternalMode() ) {
+ return;
+ }
+
+ $queryValues = $this->getRequest()->getQueryValues();
+ $badParams = array();
+ foreach ( $params as $param ) {
+ if ( $prefix !== 'noprefix' ) {
+ $param = $this->encodeParamName( $param );
+ }
+ if ( array_key_exists( $param, $queryValues ) ) {
+ $badParams[] = $param;
+ }
+ }
+
+ if ( $badParams ) {
+ $this->dieUsage(
+ 'The following parameters were found in the
query string, but must be in the POST body: '
+ . join( ', ', $badParams ),
+ 'mustpostparams'
+ );
+ }
+ }
+
+ /**
* Generates the possible errors requireAtLeastOneParameter() can die
with
*
* @since 1.23
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index f2a9d1a..222c6bf 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -56,6 +56,13 @@
return;
}
+ try {
+ $this->requirePostedParameters( array( 'password',
'token' ) );
+ } catch ( UsageException $ex ) {
+ // Make this a warning for now, upgrade to an error in
1.29.
+ $this->setWarning( $ex->getMessage() );
+ }
+
$params = $this->extractRequestParams();
$result = array();
--
To view, visit https://gerrit.wikimedia.org/r/336838
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ifb2c684bb28c9acc004be2b0c2fef839eb7624aa
Gerrit-PatchSet: 8
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Reedy <[email protected]>
Gerrit-Reviewer: Anomie <[email protected]>
Gerrit-Reviewer: Gergő Tisza <[email protected]>
Gerrit-Reviewer: Reedy <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
