wikimedia/mediawiki-extensions-AbuseFilter
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/AbuseFilter.git synced 2024-11-27 23:40:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

API: Make output containing private or user-specific data uncacheable for logged-in users by setting Vary: Cookie or Cache-Control: private, whichever is appropriate. Fixes instances in core and WMF-deployed extensions only. Without this change, the output of requests like ?action=query&list=recentchanges&rcprop=patrolled&smaxage=3600 would be cached in Squid and viewable for anyone using the same URL, even if they don't have patrol rights. Other, more serious exploits are also possible. Also avoid using $wgUser in one place, kill some unused global $wgUser; instances and tweak a comment.

Browse source
This commit is contained in:
Roan Kattouw 2010-07-14 19:00:54 +00:00
parent 1560938ccb
commit 69381c912e
2 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
ApiQueryAbuseFilters.php
View file

@ -36,6 +36,7 @@ class ApiQueryAbuseFilters extends ApiQueryBase {
public function execute() {
global $wgUser;
$this->getMain()->setVaryCookie();
if ( !$wgUser->isAllowed( 'abusefilter-view' ) )
$this->dieUsage( 'You don\'t have permission to view abuse filters', 'permissiondenied' );

1
ApiQueryAbuseLog.php
View file

@ -36,6 +36,7 @@ class ApiQueryAbuseLog extends ApiQueryBase {
public function execute() {
global $wgUser;
$this->getMain()->setVaryCookie();
if ( !$wgUser->isAllowed( 'abusefilter-log' ) )
$this->dieUsage( 'You don\'t have permission to view the abuse log', 'permissiondenied' );