r76080 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r76079‎ \| r76080 \| r76081 >
Date:	11:54, 5 November 2010
Author:	catrope
Status:	ok
Tags:
Comment:	Revert r76077, r76079, they were an overreaction to a security bug that wasn't really a security issue at all. The API will currently echo your session cookie back at you, but an attacker can only read that output using same-domain AJAX, and if they can do that they can do worse things (and steal the user's session in easier ways).
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/api/ApiLogin.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/api/ApiLogin.php
—	—	@@ -87,12 +87,14 @@
88	88	$result['lgusername'] = $wgUser->getName();
89	89	$result['lgtoken'] = $wgUser->getToken();
90	90	$result['cookieprefix'] = $wgCookiePrefix;
	91	+ $result['sessionid'] = session_id();
91	92	break;
92	93
93	94	case LoginForm::NEED_TOKEN:
94	95	$result['result'] = 'NeedToken';
95	96	$result['token'] = $loginForm->getLoginToken();
96	97	$result['cookieprefix'] = $wgCookiePrefix;
	98	+ $result['sessionid'] = session_id();
97	99	break;
98	100
99	101	case LoginForm::WRONG_TOKEN:
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -490,8 +490,6 @@
491	491	* (bug 25741) Add more data to list=search's srprop
492	492	* (bug 25760) counter property still reported by the API when
493	493	$wgDisableCounters enabled
494		~~-* (bug 25793) Session IDs no longer output by action=login to protect against~~
495		~~- session hijacking~~
496	494
497	495	=== Languages updated in 1.17 ===
498	496

Revision	Commit summary	Author	Date
r76077	(bug 25793) Don't output the session ID over HTTP, allows session hijacking b...	catrope	11:42, 5 November 2010
r76079	RELEASE-NOTES for r76077	catrope	11:48, 5 November 2010

11:35, 13 November 2010 Hashar (talk | contribs) changed the status of r76080 [removed: new added: ok]