Anomie has uploaded a new change for review. https://gerrit.wikimedia.org/r/85218
Change subject: Use HTTPS for Special:MWOAuth/token ...................................................................... Use HTTPS for Special:MWOAuth/token For security, we really should be using HTTPS when returning the token back to the consumer. But we also want to avoid breaking things if the server doesn't support https or the client is blacklisted from https support. Bug: 54110 Change-Id: I9982b1f3a1a14d472882898ee758b4ea38942c66 --- M frontend/specialpages/SpecialMWOAuth.php 1 file changed, 13 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/OAuth refs/changes/18/85218/1 diff --git a/frontend/specialpages/SpecialMWOAuth.php b/frontend/specialpages/SpecialMWOAuth.php index 10d94f2..5b75e04 100644 --- a/frontend/specialpages/SpecialMWOAuth.php +++ b/frontend/specialpages/SpecialMWOAuth.php @@ -80,6 +80,19 @@ case 'token': $oauthServer = MWOAuthUtils::newMWOAuthServer(); $oauthRequest = MWOAuthRequest::fromRequest( $request ); + + // We want to use HTTPS when returning the credentials. But + // we don't want to break things for sites that can't use + // HTTPS, hence the somewhat complicated check. + if ( $request->detectProtocol() == 'http' + && substr( wfExpandUrl( '/', PROTO_HTTPS ), 0, 8 ) === 'https://' + && wfCanIPUseHTTPS( $request->getIP() ) + ) { + $redirUrl = str_replace( 'http://', 'https://', $request->getFullRequestURL() ); + $this->getOutput()->redirect( $redirUrl ); + break; + } + $consumerKey = $oauthRequest->get_parameter( 'oauth_consumer_key' ); wfDebugLog( 'OAuth', "/token: '{$consumerKey}' getting temporary credentials" ); $token = $oauthServer->fetch_access_token( $oauthRequest ); -- To view, visit https://gerrit.wikimedia.org/r/85218 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I9982b1f3a1a14d472882898ee758b4ea38942c66 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/OAuth Gerrit-Branch: master Gerrit-Owner: Anomie <bjor...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits