[MediaWiki-commits] [Gerrit] Use HTTPS for Special:MWOAuth/token - change (mediawiki...OAuth)

Anomie (Code Review) Fri, 20 Sep 2013 08:50:58 -0700

Anomie has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/85218



Change subject: Use HTTPS for Special:MWOAuth/token
......................................................................

Use HTTPS for Special:MWOAuth/token

For security, we really should be using HTTPS when returning the token
back to the consumer. But we also want to avoid breaking things if the
server doesn't support https or the client is blacklisted from https
support.

Bug: 54110
Change-Id: I9982b1f3a1a14d472882898ee758b4ea38942c66
---
M frontend/specialpages/SpecialMWOAuth.php
1 file changed, 13 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth 
refs/changes/18/85218/1

diff --git a/frontend/specialpages/SpecialMWOAuth.php 
b/frontend/specialpages/SpecialMWOAuth.php
index 10d94f2..5b75e04 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -80,6 +80,19 @@
                                case 'token':
                                        $oauthServer = 
MWOAuthUtils::newMWOAuthServer();
                                        $oauthRequest = 
MWOAuthRequest::fromRequest( $request );
+
+                                       // We want to use HTTPS when returning 
the credentials. But
+                                       // we don't want to break things for 
sites that can't use
+                                       // HTTPS, hence the somewhat 
complicated check.
+                                       if ( $request->detectProtocol() == 
'http'
+                                               && substr( wfExpandUrl( '/', 
PROTO_HTTPS ), 0, 8 ) === 'https://'
+                                               && wfCanIPUseHTTPS( 
$request->getIP() )
+                                       ) {
+                                               $redirUrl = str_replace( 
'http://', 'https://', $request->getFullRequestURL() );
+                                               $this->getOutput()->redirect( 
$redirUrl );
+                                               break;
+                                       }
+
                                        $consumerKey = 
$oauthRequest->get_parameter( 'oauth_consumer_key' );
                                        wfDebugLog( 'OAuth', "/token: 
'{$consumerKey}' getting temporary credentials" );
                                        $token = 
$oauthServer->fetch_access_token( $oauthRequest );

-- 
To view, visit https://gerrit.wikimedia.org/r/85218
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9982b1f3a1a14d472882898ee758b4ea38942c66
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: master
Gerrit-Owner: Anomie <bjor...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Use HTTPS for Special:MWOAuth/token - change (mediawiki...OAuth)

Reply via email to