r74098 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r74097‎ \| r74098 \| r74099 >
Date:	20:12, 1 October 2010
Author:	reedy
Status:	ok (Comments)
Tags:
Comment:	* (bug 25248) API: paraminfo errors with certain modules Added a needsToken() function, rather than calling getTokenSalt, which can throw silly errors due to dependencies on parameters
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/api/ApiBase.php (modified) (history) /trunk/phase3/includes/api/ApiBlock.php (modified) (history) /trunk/phase3/includes/api/ApiDelete.php (modified) (history) /trunk/phase3/includes/api/ApiEditPage.php (modified) (history) /trunk/phase3/includes/api/ApiEmailUser.php (modified) (history) /trunk/phase3/includes/api/ApiImport.php (modified) (history) /trunk/phase3/includes/api/ApiMove.php (modified) (history) /trunk/phase3/includes/api/ApiPatrol.php (modified) (history) /trunk/phase3/includes/api/ApiProtect.php (modified) (history) /trunk/phase3/includes/api/ApiRollback.php (modified) (history) /trunk/phase3/includes/api/ApiUnblock.php (modified) (history) /trunk/phase3/includes/api/ApiUndelete.php (modified) (history) /trunk/phase3/includes/api/ApiUpload.php (modified) (history) /trunk/phase3/includes/api/ApiUserrights.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiMove.php
—	—	@@ -233,6 +233,10 @@
234	234	) );
235	235	}
236	236
	237	+ public function needsToken() {
	238	+ return true;
	239	+ }
	240	+
237	241	public function getTokenSalt() {
238	242	return '';
239	243	}
Index: trunk/phase3/includes/api/ApiProtect.php
—	—	@@ -207,8 +207,12 @@
208	208	) );
209	209	}
210	210
	211	+ public function needsToken() {
	212	+ return true;
	213	+ }
	214	+
211	215	public function getTokenSalt() {
212		~~- return null;~~
	216	+ return '';
213	217	}
214	218
215	219	protected function getExamples() {
Index: trunk/phase3/includes/api/ApiRollback.php
—	—	@@ -128,6 +128,10 @@
129	129	) );
130	130	}
131	131
	132	+ public function needsToken() {
	133	+ return true;
	134	+ }
	135	+
132	136	public function getTokenSalt() {
133	137	return array( $this->getTitle()->getPrefixedText(), $this->getUser() );
134	138	}
Index: trunk/phase3/includes/api/ApiUserrights.php
—	—	@@ -125,6 +125,10 @@
126	126	return parent::getPossibleErrors();
127	127	}
128	128
	129	+ public function needsToken() {
	130	+ return true;
	131	+ }
	132	+
129	133	public function getTokenSalt() {
130	134	return $this->getUser()->getName();
131	135	}
Index: trunk/phase3/includes/api/ApiDelete.php
—	—	@@ -246,6 +246,10 @@
247	247	) );
248	248	}
249	249
	250	+ public function needsToken() {
	251	+ return true;
	252	+ }
	253	+
250	254	public function getTokenSalt() {
251	255	return '';
252	256	}
Index: trunk/phase3/includes/api/ApiImport.php
—	—	@@ -154,6 +154,10 @@
155	155	) );
156	156	}
157	157
	158	+ public function needsToken() {
	159	+ return true;
	160	+ }
	161	+
158	162	public function getTokenSalt() {
159	163	return '';
160	164	}
Index: trunk/phase3/includes/api/ApiEditPage.php
—	—	@@ -481,6 +481,10 @@
482	482	);
483	483	}
484	484
	485	+ public function needsToken() {
	486	+ return true;
	487	+ }
	488	+
485	489	public function getTokenSalt() {
486	490	return '';
487	491	}
Index: trunk/phase3/includes/api/ApiUnblock.php
—	—	@@ -129,6 +129,10 @@
130	130	) );
131	131	}
132	132
	133	+ public function needsToken() {
	134	+ return true;
	135	+ }
	136	+
133	137	public function getTokenSalt() {
134	138	return '';
135	139	}
Index: trunk/phase3/includes/api/ApiEmailUser.php
—	—	@@ -119,6 +119,10 @@
120	120	) );
121	121	}
122	122
	123	+ public function needsToken() {
	124	+ return true;
	125	+ }
	126	+
123	127	public function getTokenSalt() {
124	128	return '';
125	129	}
Index: trunk/phase3/includes/api/ApiBlock.php
—	—	@@ -183,6 +183,10 @@
184	184	) );
185	185	}
186	186
	187	+ public function needsToken() {
	188	+ return true;
	189	+ }
	190	+
187	191	public function getTokenSalt() {
188	192	return '';
189	193	}
Index: trunk/phase3/includes/api/ApiPatrol.php
—	—	@@ -90,6 +90,10 @@
91	91	) );
92	92	}
93	93
	94	+ public function needsToken() {
	95	+ return true;
	96	+ }
	97	+
94	98	public function getTokenSalt() {
95	99	return '';
96	100	}
Index: trunk/phase3/includes/api/ApiUndelete.php
—	—	@@ -143,6 +143,10 @@
144	144	) );
145	145	}
146	146
	147	+ public function needsToken() {
	148	+ return true;
	149	+ }
	150	+
147	151	public function getTokenSalt() {
148	152	return '';
149	153	}
Index: trunk/phase3/includes/api/ApiBase.php
—	—	@@ -1094,6 +1094,14 @@
1095	1095	}
1096	1096
1097	1097	/**
	1098	+ * Returns whether this module requires a Token to execute
	1099	+ * @returns bool
	1100	+ */
	1101	+ public function needsToken() {
	1102	+ return false;
	1103	+ }
	1104	+
	1105	+ /**
1098	1106	* Returns the token salt if there is one, '' if the module doesn't require a salt, else false if the module doesn't need a token
1099	1107	* @returns bool
1100	1108	*/
—	—	@@ -1155,7 +1163,7 @@
1156	1164	$ret[] = array( 'writedisabled' );
1157	1165	}
1158	1166
1159		~~- if ( $this->getTokenSalt() !== false ) {~~
	1167	+ if ( $this->needsToken() ) {
1160	1168	$ret[] = array( 'missingparam', 'token' );
1161	1169	$ret[] = array( 'sessionfailure' );
1162	1170	}
Index: trunk/phase3/includes/api/ApiUpload.php
—	—	@@ -459,6 +459,10 @@
460	460	) );
461	461	}
462	462
	463	+ public function needsToken() {
	464	+ return true;
	465	+ }
	466	+
463	467	public function getTokenSalt() {
464	468	return '';
465	469	}
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -421,6 +421,7 @@
422	422	$wgAllowAsyncCopyUploads to be true.
423	423	* sinumberingroup correctly gives size of 'user' group, and omits size of
424	424	implicit groups rather than showing 0.
	425	+* (bug 25248) API: paraminfo errors with certain modules
425	426
426	427	=== Languages updated in 1.17 ===
427	428

Follow-up revisions

Revision	Commit summary	Author	Date
r74217	MFT r74098, r74099...	reedy	15:53, 3 October 2010
r75259	Followup r74098, fixup extensions that are using getTokenSalt, by adding need...	reedy	16:14, 23 October 2010

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r73596	follow up r72387: using ApiQuery here breaks ApiParamInfo (bug 25248)	gurch	10:46, 23 September 2010

Comments

#Comment by Reedy (talk | contribs) 20:18, 1 October 2010

Needs merging to 1.16 when reviewed (I'll do it)

#Comment by Catrope (talk | contribs) 15:30, 3 October 2010

+		public function needsToken() {
+		return true;
+	}
+
 	public function getTokenSalt() {
 		return '';

Indented wrong.

Good otherwise, go ahead and backport.

#Comment by Reedy (talk | contribs) 15:32, 3 October 2010

Already fixed in r74099

#Comment by Bryan (talk | contribs) 17:28, 16 October 2010

I am not entirely happy with how this breaks backwards compatibility (with old extensions that do not have needsToken() but do return a salt), but I seen to clean way to handle this.

#Comment by Catrope (talk | contribs) 17:30, 16 October 2010

That's a very good point: old extensions will become vulnerable to CSRF if not upgraded. We need to avoid that somehow.

#Comment by Reedy (talk | contribs) 15:10, 23 October 2010

Suggested fix/way of going about it?

#Comment by Bryan (talk | contribs) 21:15, 9 December 2010

Remind me again what the result of our discussion in DC on this was?

#Comment by Reedy (talk | contribs) 21:48, 9 December 2010

I think it was a case of fixing like this wasn't ideal, but one of the only ways around it. IIRC, I said I would/I'm sure I did, clean up any extensions to try and minimise the likelihood of it

#Comment by Reedy (talk | contribs) 16:17, 23 October 2010

Might need to backport r75259 to 1.16

I'll do that when I get home (cba checking out 1.16 here)

Status & tagging log

14:46, 14 December 2010 Catrope (talk | contribs) changed the status of r74098 [removed: new added: ok]
16:17, 23 October 2010 Reedy (talk | contribs) changed the status of r74098 [removed: fixme added: new]
17:30, 16 October 2010 Catrope (talk | contribs) changed the status of r74098 [removed: ok added: fixme]
15:30, 3 October 2010 Catrope (talk | contribs) changed the status of r74098 [removed: new added: ok]