[MediaWiki-commits] [Gerrit] Use HTTPS for Special:MWOAuth/token - change (mediawiki...OAuth)

[jenkins-bot (Code Review)]

jenkins-bot has submitted this change and it was merged.

Change subject: Use HTTPS for Special:MWOAuth/token
......................................................................


Use HTTPS for Special:MWOAuth/token

For security, we really should be using HTTPS when returning the token
back to the consumer. But when RSA is in use the consumer secret doesn't
matter.

Bug: 54110
Change-Id: I9982b1f3a1a14d472882898ee758b4ea38942c66
---
M frontend/specialpages/SpecialMWOAuth.php
1 file changed, 17 insertions(+), 0 deletions(-)

Approvals:
  Aaron Schulz: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/frontend/specialpages/SpecialMWOAuth.php 
b/frontend/specialpages/SpecialMWOAuth.php
index 5588fab..e286f35 100644
--- a/frontend/specialpages/SpecialMWOAuth.php
+++ b/frontend/specialpages/SpecialMWOAuth.php
@@ -80,9 +80,26 @@
                                case 'token':
                                        $oauthServer = 
MWOAuthUtils::newMWOAuthServer();
                                        $oauthRequest = 
MWOAuthRequest::fromRequest( $request );
+
+                                       $isRsa = $oauthRequest->get_parameter( 
"oauth_signature_method" ) === 'RSA-SHA1';
+
+                                       // We want to use HTTPS when returning 
the credentials. But
+                                       // for RSA we don't need to return a 
token secret, so HTTP is ok.
+                                       if ( !$isRsa && 
$request->detectProtocol() == 'http'
+                                               && substr( wfExpandUrl( '/', 
PROTO_HTTPS ), 0, 8 ) === 'https://'
+                                       ) {
+                                               $redirUrl = str_replace( 
'http://', 'https://', $request->getFullRequestURL() );
+                                               $this->getOutput()->redirect( 
$redirUrl );
+                                               break;
+                                       }
+
                                        $consumerKey = 
$oauthRequest->get_parameter( 'oauth_consumer_key' );
                                        wfDebugLog( 'OAuth', "/token: 
'{$consumerKey}' getting temporary credentials" );
                                        $token = 
$oauthServer->fetch_access_token( $oauthRequest );
+                                       if ( $isRsa ) {
+                                               // RSA doesn't use the token 
secret, so don't return one.
+                                               $token->secret = '__unused__';
+                                       }
                                        $this->returnToken( $token, $format );
                                        break;
                                case 'verified':

-- 
To view, visit https://gerrit.wikimedia.org/r/85218
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I9982b1f3a1a14d472882898ee758b4ea38942c66
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/extensions/OAuth
Gerrit-Branch: master
Gerrit-Owner: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Aaron Schulz <asch...@wikimedia.org>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits