[Bug 68843] New: MassMessage::getMessengerUser() takeover broken due to Password API changes

bugzilla-daemon Tue, 29 Jul 2014 22:02:27 -0700

https://bugzilla.wikimedia.org/show_bug.cgi?id=68843


            Bug ID: 68843
           Summary: MassMessage::getMessengerUser() takeover broken due to
                    Password API changes
           Product: MediaWiki extensions
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: Unprioritized
         Component: MassMessage
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected], [email protected],
                    [email protected], [email protected]
       Web browser: ---
   Mobile Platform: ---

In MassMessage::getMessengerUser(), we do some evil things to create a system
account that cannot be logged into:

$user = User::newFromName( $wgMassMessageAccountUsername );
$user->load();
if ( $user->getId() && $user->mPassword == '' && $user->mNewpassword == '' ) {
    // We've already stolen the account
    return $user;
}


Problems here are:

a) User::load() no longer loads the password members, so we can't check if they
are equal to empty string.
b) null == '', should have been using triple equals.


Also, AbuseFilter has a very similar function (I got the idea from it), so
we'll need to patch this there too.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 68843] New: MassMessage::getMessengerUser() takeover broken due to Password API changes

Reply via email to