r27514 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r27513‎ | r27514 | r27515 >
Date:04:24, 15 November 2007
Author:brion
Status:old
Tags:
Comment:
Revert r27151 -- allows session fixation attacks.
Just get a user to visit a URL with the user ID and token you like in the query string (say, in an <img> referenced in a page you convince them to go to or post for their review) and their login session will be replaced with the one you provided.
Modified paths:
  • /trunk/phase3/RELEASE-NOTES (modified) (history)
  • /trunk/phase3/includes/api/ApiLogin.php (modified) (history)
  • /trunk/phase3/includes/api/ApiMain.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiMain.php
@@ -88,24 +88,11 @@
8989 * @param $enableWrite bool should be set to true if the api may modify data
9090 */
9191 public function __construct($request, $enableWrite = false) {
92 - global $wgRequest, $wgUser;
9392
9493 $this->mInternalMode = ($request instanceof FauxRequest);
9594
9695 // Special handling for the main module: $parent === $this
9796 parent :: __construct($this, $this->mInternalMode ? 'main_int' : 'main');
98 -
99 - // Check if request has cookie-like variables, and set them
100 - if( ($request->getVal('lgtoken')) && ($request->getVal('lgusername')) && ($request->getVal('lguserid')) ) {
101 -
102 - // Got variables, set cookies.
103 - $_SESSION['wsUserID'] = $request->getVal('lguserid');
104 - $_SESSION['wsUserName'] = $request->getVal('lgusername');
105 - $_SESSION['wsToken'] = $request->getVal('lgtoken');
106 -
107 - // Reinitialize $wgUser from session data
108 - $wgUser = User::newFromSession();
109 - }
11097
11198 if (!$this->mInternalMode) {
11299
Index: trunk/phase3/includes/api/ApiLogin.php
@@ -104,6 +104,7 @@
105105 $result['lgusername'] = $_SESSION['wsUserName'];
106106 $result['lgtoken'] = $_SESSION['wsToken'];
107107 $result['cookieprefix'] = $wgCookiePrefix;
 108+ $result['sessionid'] = $_COOKIE["{$wgCookiePrefix}_session"];
108109 break;
109110
110111 case LoginForm :: NO_NAME :
Index: trunk/phase3/RELEASE-NOTES
@@ -181,7 +181,6 @@
182182 * (bug 11721) Use a different title for results than for the help page.
183183 * (bug 11562) Added a user_registration parameter/field to the list=allusers query.
184184 * (bug 11588) Preserve document structure for empty dataset in backlinks query.
185 -* Allow staying logged in through lg* parameters instead of cookies
186185 * Outputting list of all user preferences rather than having to request them by name
187186
188187 === Languages updated in 1.12 ===

Follow-up revisions

RevisionCommit summaryAuthorDate
r27515Merged with trunk r27514yurik05:02, 15 November 2007

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r27151API:...catrope09:57, 3 November 2007

Status & tagging log