SECURITY: Check permissions before job execution

CVE-2021-41801 Bug: T279090 Change-Id: Ibc299edf626ca9aa1cd9d83b888820f5aca9af7c
2024-11-27 16:10:15 +00:00 · 2021-04-21 14:16:18 -05:00 · 2021-04-21 14:16:18 -05:00 · d4687e125f
parent 9739ecb325
commit d4687e125f
2 changed files with 9 additions and 1 deletions
--- a/extension.json
+++ b/extension.json
@ -1,6 +1,6 @@
 {
 	"name": "Replace Text",
-	"version": "1.4.1",
+	"version": "1.4.2",
 	"author": [
 		"Yaron Koren",
 		"Niklas Laxström",
--- a/src/ReplaceTextJob.php
+++ b/src/ReplaceTextJob.php
@ -41,6 +41,14 @@ class ReplaceTextJob extends Job {
 	 * @return bool success
 	 */
 	function run() {
+		// T279090
+		$current_user = User::newFromId( $this->params['user_id'] );
+		if ( !$this->title->userCan( 'replacetext', $current_user ) ) {
+			$this->error = 'replacetext: permission no longer valid';
+			// T279090#6978214
+			return true;
+		}
+
 		if ( isset( $this->params['session'] ) ) {
 			$callback = RequestContext::importScopedSession( $this->params['session'] );
 			$this->addTeardownCallback( function () use ( &$callback ) {