SECURITY: Check permissions before job execution

CVE-2021-41801

Bug: T279090
Change-Id: Ibc299edf626ca9aa1cd9d83b888820f5aca9af7c
This commit is contained in:
RhinosF1 2021-04-21 14:16:18 -05:00 committed by Reedy
parent a765c687c9
commit 7ab68672e9
2 changed files with 12 additions and 2 deletions

View file

@ -1,6 +1,6 @@
{
"name": "Replace Text",
"version": "1.4.1",
"version": "1.4.2",
"author": [
"Yaron Koren",
"Niklas Laxström",

View file

@ -51,6 +51,17 @@ class Job extends JobParent {
* @return bool success
*/
function run() {
// T279090
$current_user = User::newFromId( $this->params['user_id'] );
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
if ( !$permissionManager->userCan(
'replacetext', $current_user, $this->title
) ) {
$this->error = 'replacetext: permission no longer valid';
// T279090#6978214
return true;
}
if ( isset( $this->params['session'] ) ) {
$callback = RequestContext::importScopedSession( $this->params['session'] );
$this->addTeardownCallback( static function () use ( &$callback ) {
@ -64,7 +75,6 @@ class Job extends JobParent {
}
if ( array_key_exists( 'move_page', $this->params ) ) {
$current_user = User::newFromId( $this->params['user_id'] );
$new_title = Search::getReplacedTitle(
$this->title,
$this->params['target_str'],