r110342 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r110341‎ | r110342 | r110343 >
Date:23:44, 30 January 2012
Author:aaron
Status:ok
Tags:core 
Comment:
(bug 33992) - "Allow anon a formless purge with POST". Changed HTMLForm::tryAuthorizedSubmit() to (a) require post for forms that are supposed to be posted and (b) bypass the token check for anons as it doesn't really do much except be slightly annoying. The tokens are just User::EDIT_TOKEN_SUFFIX in that case.
Modified paths:
  • /trunk/phase3/includes/HTMLForm.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/HTMLForm.php
@@ -240,12 +240,27 @@
241241 * @return Status|boolean
242242 */
243243 function tryAuthorizedSubmit() {
244 - $editToken = $this->getRequest()->getVal( 'wpEditToken' );
 244+ $result = false;
245245
246 - $result = false;
247 - if ( $this->getMethod() != 'post' || $this->getUser()->matchEditToken( $editToken ) ) {
 246+ $submit = false;
 247+ if ( $this->getMethod() != 'post' ) {
 248+ $submit = true; // no session check needed
 249+ } elseif ( $this->getRequest()->wasPosted() ) {
 250+ $editToken = $this->getRequest()->getVal( 'wpEditToken' );
 251+ if ( $this->getUser()->isLoggedIn() || $editToken != null ) {
 252+ // Session tokens for logged-out users have no security value.
 253+ // However, if the user gave one, check it in order to give a nice
 254+ // "session expired" error instead of "permission denied" or such.
 255+ $submit = $this->getUser()->matchEditToken( $editToken );
 256+ } else {
 257+ $submit = true;
 258+ }
 259+ }
 260+
 261+ if ( $submit ) {
248262 $result = $this->trySubmit();
249263 }
 264+
250265 return $result;
251266 }
252267

Status & tagging log