wikimedia/mediawiki-extensions-AbuseFilter
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/AbuseFilter.git synced 2024-11-24 22:15:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
mediawiki-extensions-AbuseF.../includes/api/ApiAbuseFilterEvalExpression.php
Daimona Eaytoy cee8e14cf1 SECURITY: Require view-private or modify for the evalexpression API 
This is consistent with the "anti-DoS" measures on other API modules.
Although this may not be a serious DoS vector, it makes sense to
restrict this module. Moreover, it's also consistent with
Special:AbuseFilter/tools (which is the corresponding web interface),
which requires the same user rights.

Bug: T238451
Change-Id: Id09fd57195d71884674ac0470f137ca30c56e13c
2019-11-21 16:33:04 +01:00

43 lines
931 B
PHP
Raw Blame History

<?php
class ApiAbuseFilterEvalExpression extends ApiBase {
/**
* @see ApiBase::execute()
*/
public function execute() {
// "Anti-DoS"
if ( !AbuseFilter::canViewPrivate( $this->getUser() ) ) {
$this->dieWithError( 'apierror-abusefilter-canteval', 'permissiondenied' );
}
$params = $this->extractRequestParams();
$result = AbuseFilter::evaluateExpression( $params['expression'] );
$this->getResult()->addValue( null, $this->getModuleName(), [ 'result' => $result ] );
}
/**
* @see ApiBase::getAllowedParams()
* @return array
*/
public function getAllowedParams() {
return [
'expression' => [
ApiBase::PARAM_REQUIRED => true,
],
];
}
/**
* @see ApiBase::getExamplesMessages()
* @return array
*/
protected function getExamplesMessages() {
return [
'action=abusefilterevalexpression&expression=lcase("FOO")'
=> 'apihelp-abusefilterevalexpression-example-1',
];
}
}
Reference in a new issue View git blame Copy permalink