mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/ReplaceText
synced 2024-11-27 16:10:15 +00:00
SECURITY: Check permissions before job execution
CVE-2021-41801 Bug: T279090 Change-Id: Ibc299edf626ca9aa1cd9d83b888820f5aca9af7c
This commit is contained in:
parent
a765c687c9
commit
7ab68672e9
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "Replace Text",
|
||||
"version": "1.4.1",
|
||||
"version": "1.4.2",
|
||||
"author": [
|
||||
"Yaron Koren",
|
||||
"Niklas Laxström",
|
||||
|
|
12
src/Job.php
12
src/Job.php
|
@ -51,6 +51,17 @@ class Job extends JobParent {
|
|||
* @return bool success
|
||||
*/
|
||||
function run() {
|
||||
// T279090
|
||||
$current_user = User::newFromId( $this->params['user_id'] );
|
||||
$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
|
||||
if ( !$permissionManager->userCan(
|
||||
'replacetext', $current_user, $this->title
|
||||
) ) {
|
||||
$this->error = 'replacetext: permission no longer valid';
|
||||
// T279090#6978214
|
||||
return true;
|
||||
}
|
||||
|
||||
if ( isset( $this->params['session'] ) ) {
|
||||
$callback = RequestContext::importScopedSession( $this->params['session'] );
|
||||
$this->addTeardownCallback( static function () use ( &$callback ) {
|
||||
|
@ -64,7 +75,6 @@ class Job extends JobParent {
|
|||
}
|
||||
|
||||
if ( array_key_exists( 'move_page', $this->params ) ) {
|
||||
$current_user = User::newFromId( $this->params['user_id'] );
|
||||
$new_title = Search::getReplacedTitle(
|
||||
$this->title,
|
||||
$this->params['target_str'],
|
||||
|
|
Loading…
Reference in a new issue