SECURITY: Check permissions before job execution

CVE-2021-41801 Bug: T279090 Change-Id: Ibc299edf626ca9aa1cd9d83b888820f5aca9af7c
2024-11-24 06:43:35 +00:00 · 2021-04-21 14:16:18 -05:00 · 2021-04-21 14:16:18 -05:00 · 4c1453927d
parent e32b0be64d
commit 4c1453927d
2 changed files with 12 additions and 2 deletions
--- a/extension.json
+++ b/extension.json
@ -1,6 +1,6 @@
 {
 	"name": "Replace Text",
-	"version": "1.4.1",
+	"version": "1.4.2",
 	"author": [
 		"Yaron Koren",
 		"Niklas Laxström",
--- a/src/Job.php
+++ b/src/Job.php
@ -51,6 +51,17 @@ class Job extends JobParent {
 	 * @return bool success
 	 */
 	function run() {
+		// T279090
+		$current_user = User::newFromId( $this->params['user_id'] );
+		$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
+		if ( !$permissionManager->userCan(
+			'replacetext', $current_user, $this->title
+		) ) {
+			$this->error = 'replacetext: permission no longer valid';
+			// T279090#6978214
+			return true;
+		}
+
 		if ( isset( $this->params['session'] ) ) {
 			$callback = RequestContext::importScopedSession( $this->params['session'] );
 			$this->addTeardownCallback( static function () use ( &$callback ) {
@ -64,7 +75,6 @@ class Job extends JobParent {
 		}

 		if ( array_key_exists( 'move_page', $this->params ) ) {
-			$current_user = User::newFromId( $this->params['user_id'] );
 			$new_title = Search::getReplacedTitle(
 				$this->title,
 				$this->params['target_str'],