From b37d68a4c1603fed92c5db0b38ffc8bbd389fca5 Mon Sep 17 00:00:00 2001
From: RhinosF1 <rhinosf1@gmail.com>
Date: Wed, 21 Apr 2021 14:16:18 -0500
Subject: [PATCH] SECURITY: Check permissions before job execution

CVE-2021-41801

Bug: T279090
Change-Id: Ibc299edf626ca9aa1cd9d83b888820f5aca9af7c
---
 extension.json         |  2 +-
 src/ReplaceTextJob.php | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/extension.json b/extension.json
index 5c690136..4f2a27ff 100644
--- a/extension.json
+++ b/extension.json
@@ -1,6 +1,6 @@
 {
 	"name": "Replace Text",
-	"version": "1.4.1",
+	"version": "1.4.2",
 	"author": [
 		"Yaron Koren",
 		"Niklas Laxström",
diff --git a/src/ReplaceTextJob.php b/src/ReplaceTextJob.php
index a52b5652..7f487bcb 100644
--- a/src/ReplaceTextJob.php
+++ b/src/ReplaceTextJob.php
@@ -41,6 +41,17 @@ class ReplaceTextJob extends Job {
 	 * @return bool success
 	 */
 	function run() {
+		// T279090
+		$current_user = User::newFromId( $this->params['user_id'] );
+		$permissionManager = MediaWikiServices::getInstance()->getPermissionManager();
+		if ( !$permissionManager->userCan(
+			'replacetext', $current_user, $this->title
+		) ) {
+			$this->error = 'replacetext: permission no longer valid';
+			// T279090#6978214
+			return true;
+		}
+
 		if ( isset( $this->params['session'] ) ) {
 			$callback = RequestContext::importScopedSession( $this->params['session'] );
 			$this->addTeardownCallback( function () use ( &$callback ) {
@@ -54,7 +65,6 @@ class ReplaceTextJob extends Job {
 		}
 
 		if ( array_key_exists( 'move_page', $this->params ) ) {
-			$current_user = User::newFromId( $this->params['user_id'] );
 			$new_title = ReplaceTextSearch::getReplacedTitle(
 				$this->title,
 				$this->params['target_str'],