From: Ilmari Karonen <vyznev@users.mediawiki.org>
Date: Sat, 2 Dec 2006 06:19:48 +0000 (+0000)
Subject: Include a backslash character in wpEditToken to prevent editing from broken
X-Git-Tag: 1.31.0-rc.0~55016
X-Git-Url: http://git.cyclocoop.org/%24image?a=commitdiff_plain;h=31b171ec2a93dd142beb8860c6fa3f31ff09cd8e;p=lhc%2Fweb%2Fwiklou.git

Include a backslash character in wpEditToken to prevent editing from broken
proxies that mangle such characters.  Not only is editing from open proxies
generally frowned upon on Wikimedia projects, but more importantly, these
particular proxies tend to break wiki markup in submitted content.  These
really are not edits we want to let through.

Yes, this is a hack.  We may eventually want to explicitly check for this
condition and provide a more informative response, but even so this would
still remain a useful fallback check just in case.
---

diff --git a/includes/EditPage.php b/includes/EditPage.php
index d3ae6bf7bb..0d6f34b5b8 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -556,8 +556,8 @@ class EditPage {
 		global $wgUser;
 		if( $wgUser->isAnon() ) {
 			# Anonymous users may not have a session
-			# open. Don't tokenize.
-			$this->mTokenOk = true;
+			# open. Check for suffix anyway.
+			$this->mTokenOk = ( EDIT_TOKEN_SUFFIX == $request->getVal( 'wpEditToken' ) );
 		} else {
 			$this->mTokenOk = $wgUser->matchEditToken( $request->getVal( 'wpEditToken' ) );
 		}
@@ -1247,18 +1247,24 @@ END
 </div>
 " );
 
-		if ( $wgUser->isLoggedIn() ) {
-			/**
-			 * To make it harder for someone to slip a user a page
-			 * which submits an edit form to the wiki without their
-			 * knowledge, a random token is associated with the login
-			 * session. If it's not passed back with the submission,
-			 * we won't save the page, or render user JavaScript and
-			 * CSS previews.
-			 */
+		/**
+		 * To make it harder for someone to slip a user a page
+		 * which submits an edit form to the wiki without their
+		 * knowledge, a random token is associated with the login
+		 * session. If it's not passed back with the submission,
+		 * we won't save the page, or render user JavaScript and
+		 * CSS previews.
+		 *
+		 * For anon editors, who may not have a session, we just
+		 * include the constant suffix to prevent editing from
+		 * broken text-mangling proxies.
+		 */
+		if ( $wgUser->isLoggedIn() )
 			$token = htmlspecialchars( $wgUser->editToken() );
-			$wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
-		}
+		else
+			$token = EDIT_TOKEN_SUFFIX;
+		$wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
+
 
 		# If a blank edit summary was previously provided, and the appropriate
 		# user preference is active, pass a hidden tag here. This will stop the
diff --git a/includes/User.php b/includes/User.php
index 73742f510b..92381e767e 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -11,6 +11,11 @@ define( 'USER_TOKEN_LENGTH', 32 );
 # Serialized record version
 define( 'MW_USER_VERSION', 4 );
 
+# Some punctuation to prevent editing from broken text-mangling proxies.
+# FIXME: this is embedded unescaped into HTML attributes in various
+# places, so we can't safely include ' or " even though we really should.
+define( 'EDIT_TOKEN_SUFFIX', '\\' );
+
 /**
  *
  * @package MediaWiki
@@ -2093,7 +2098,7 @@ class User {
 		if( is_array( $salt ) ) {
 			$salt = implode( '|', $salt );
 		}
-		return md5( $token . $salt );
+		return md5( $token . $salt ) . EDIT_TOKEN_SUFFIX;
 	}
 
 	/**