r76077 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r76076‎ \| r76077 \| r76078 >
Date:	11:42, 5 November 2010
Author:	catrope
Status:	reverted
Tags:
Comment:	(bug 25793) Don't output the session ID over HTTP, allows session hijacking because logins that failed because no token was specified would output the session ID
Modified paths:	/trunk/phase3/includes/api/ApiLogin.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiLogin.php
—	—	@@ -87,14 +87,12 @@
88	88	$result['lgusername'] = $wgUser->getName();
89	89	$result['lgtoken'] = $wgUser->getToken();
90	90	$result['cookieprefix'] = $wgCookiePrefix;
91		~~- $result['sessionid'] = session_id();~~
92	91	break;
93	92
94	93	case LoginForm::NEED_TOKEN:
95	94	$result['result'] = 'NeedToken';
96	95	$result['token'] = $loginForm->getLoginToken();
97	96	$result['cookieprefix'] = $wgCookiePrefix;
98		~~- $result['sessionid'] = session_id();~~
99	97	break;
100	98
101	99	case LoginForm::WRONG_TOKEN:

Follow-up revisions

Revision	Commit summary	Author	Date
r76078	1.16wmf4: MFT r76077	catrope	11:47, 5 November 2010
r76079	RELEASE-NOTES for r76077	catrope	11:48, 5 November 2010
r76080	Revert r76077, r76079, they were an overreaction to a security bug that wasn'...	catrope	11:54, 5 November 2010
r76081	1.16wmf4: Revert r76078: was a merge of r76077 which was reverted	catrope	11:59, 5 November 2010

Status & tagging log

12:00, 5 November 2010 Catrope (talk | contribs) changed the status of r76077 [removed: new added: reverted]