* Make $wgUser->editToken() work for either logged-in or logged-out users.

* Fix escaping of edit tokens, removed FIXME note.
* Added + to EDIT_TOKEN_SUFFIX on report of broken proxy from mutante
* Two random minor changes

diff --git a/includes/Article.php b/includes/Article.php
index 5a54159..7925189 100644 (file)
--- a/includes/Article.php
+++ b/includes/Article.php
@@ -878,8 +878,8 @@ class Article {
                        $rmvtxt = "";
                        if ($wgUser->isAllowed( 'trackback' )) {
                                $delurl = $this->mTitle->getFullURL("action=deletetrackback&tbid="
-                                               . $o->tb_id . "&token=" . $wgUser->editToken());
-                               $rmvtxt = wfMsg('trackbackremove', $delurl);
+                                               . $o->tb_id . "&token=" . urlencode( $wgUser->editToken() ) );
+                               $rmvtxt = wfMsg( 'trackbackremove', htmlspecialchars( $delurl ) );
                        }
                        $tbtext .= wfMsg(strlen($o->tb_ex) ? 'trackbackexcerpt' : 'trackback',
                                        $o->tb_title,

diff --git a/includes/EditPage.php b/includes/EditPage.php
index 3a8038a..e09114d 100644 (file)
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -576,13 +576,7 @@ class EditPage {
         */
        function tokenOk( &$request ) {
                global $wgUser;
-               if( $wgUser->isAnon() ) {
-                       # Anonymous users may not have a session
-                       # open. Check for suffix anyway.
-                       $this->mTokenOk = ( EDIT_TOKEN_SUFFIX == $request->getVal( 'wpEditToken' ) );
-               } else {
-                       $this->mTokenOk = $wgUser->matchEditToken( $request->getVal( 'wpEditToken' ) );
-               }
+               $this->mTokenOk = $wgUser->matchEditToken( $request->getVal( 'wpEditToken' ) );
                return $this->mTokenOk;
        }
 
@@ -1244,10 +1238,7 @@ END
                 * include the constant suffix to prevent editing from
                 * broken text-mangling proxies.
                 */
-               if ( $wgUser->isLoggedIn() )
-                       $token = htmlspecialchars( $wgUser->editToken() );
-               else
-                       $token = EDIT_TOKEN_SUFFIX;
+               $token = htmlspecialchars( $wgUser->editToken() );
                $wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
 
 

diff --git a/includes/SpecialBlockip.php b/includes/SpecialBlockip.php
index 0222094..f819929 100644 (file)
--- a/includes/SpecialBlockip.php
+++ b/includes/SpecialBlockip.php
@@ -144,7 +144,7 @@ class IPBlockForm {
                        $blockReasonList .= $optgroup;
                }
 
-               $token = htmlspecialchars( $wgUser->editToken() );
+               $token = $wgUser->editToken();
 
                global $wgStylePath, $wgStyleVersion;
                $wgOut->addHTML( "

diff --git a/includes/SpecialEmailuser.php b/includes/SpecialEmailuser.php
index ca14bd6..688892d 100644 (file)
--- a/includes/SpecialEmailuser.php
+++ b/includes/SpecialEmailuser.php
@@ -115,7 +115,7 @@ class EmailUserForm {
                $titleObj = SpecialPage::getTitleFor( "Emailuser" );
                $action = $titleObj->escapeLocalURL( "target=" .
                        urlencode( $this->target->getName() ) . "&action=submit" );
-               $token = $wgUser->editToken();
+               $token = htmlspecialchars( $wgUser->editToken() );
 
                $wgOut->addHTML( "
 <form id=\"emailuser\" method=\"post\" action=\"{$action}\">

diff --git a/includes/SpecialPreferences.php b/includes/SpecialPreferences.php
index bcfe982..49c562d 100644 (file)
--- a/includes/SpecialPreferences.php
+++ b/includes/SpecialPreferences.php
@@ -994,7 +994,7 @@ class PreferencesForm {
                }
                $wgOut->addHTML( '</fieldset>' );
 
-               $token = $wgUser->editToken();
+               $token = htmlspecialchars( $wgUser->editToken() );
                $skin = $wgUser->getSkin();
                $wgOut->addHTML( "
        <div id='prefsubmit'>
@@ -1005,7 +1005,7 @@ class PreferencesForm {
 
        </div>
 
-       <input type='hidden' name='wpEditToken' value='{$token}' />
+       <input type='hidden' name='wpEditToken' value=\"{$token}\" />
        </div></form>\n" );
 
                $wgOut->addHtml( Xml::tags( 'div', array( 'class' => "prefcache" ),

diff --git a/includes/User.php b/includes/User.php
index 9b62e2d..1b7b113 100644 (file)
--- a/includes/User.php
+++ b/includes/User.php
@@ -11,9 +11,7 @@ define( 'USER_TOKEN_LENGTH', 32 );
 define( 'MW_USER_VERSION', 5 );
 
 # Some punctuation to prevent editing from broken text-mangling proxies.
-# FIXME: this is embedded unescaped into HTML attributes in various
-# places, so we can't safely include ' or " even though we really should.
-define( 'EDIT_TOKEN_SUFFIX', '\\' );
+define( 'EDIT_TOKEN_SUFFIX', '+\\' );
 
 /**
  * Thrown by User::setPassword() on error
@@ -2273,16 +2271,20 @@ class User {
         * @public
         */
        function editToken( $salt = '' ) {
-               if( !isset( $_SESSION['wsEditToken'] ) ) {
-                       $token = $this->generateToken();
-                       $_SESSION['wsEditToken'] = $token;
+               if ( $this->isAnon() ) {
+                       return EDIT_TOKEN_SUFFIX;
                } else {
-                       $token = $_SESSION['wsEditToken'];
-               }
-               if( is_array( $salt ) ) {
-                       $salt = implode( '|', $salt );
+                       if( !isset( $_SESSION['wsEditToken'] ) ) {
+                               $token = $this->generateToken();
+                               $_SESSION['wsEditToken'] = $token;
+                       } else {
+                               $token = $_SESSION['wsEditToken'];
+                       }
+                       if( is_array( $salt ) ) {
+                               $salt = implode( '|', $salt );
+                       }
+                       return md5( $token . $salt ) . EDIT_TOKEN_SUFFIX;
                }
-               return md5( $token . $salt ) . EDIT_TOKEN_SUFFIX;
        }
 
        /**