From: Brion Vibber <brion@users.mediawiki.org>
Date: Tue, 22 Sep 2009 23:44:32 +0000 (+0000)
Subject: Workaround for bugs with Commonist (mwapi-based) and other upload bots.
X-Git-Tag: 1.31.0-rc.0~39572
X-Git-Url: http://git.cyclocoop.org/%24self?a=commitdiff_plain;h=d2ac90018f2e0dc66990b10945a08e6848fb1e19;p=lhc%2Fweb%2Fwiklou.git

Workaround for bugs with Commonist (mwapi-based) and other upload bots.
The upload form recently started checking for wpEditToken, but this is only actually needed when we do uploads by URL -- file uploads can't be injected by a CSRF script. Now skipping the token check if the token was empty and we're doing a regular file upload.
Confirmed that Commonist current JNLP release can upload to Wikimedia Commons with this patch.
---

diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php
index 4dc3439743..d1b7b2f8f7 100644
--- a/includes/specials/SpecialUpload.php
+++ b/includes/specials/SpecialUpload.php
@@ -59,9 +59,6 @@ class UploadForm extends SpecialPage {
 			# filename and description
 			return;
 		}
-		//if it was posted check for the token (no remote POST'ing with user credentials)
-		$token = $request->getVal( 'wpEditToken' );
-		$this->mTokenOk = $wgUser->matchEditToken( $token );
 
 		# Placeholders for text injection by hooks (empty per default)
 		$this->uploadFormTextTop = "";
@@ -73,13 +70,24 @@ class UploadForm extends SpecialPage {
 		$this->mCopyrightStatus   = $request->getText( 'wpUploadCopyStatus' );
 		$this->mCopyrightSource   = $request->getText( 'wpUploadSource' );
 		$this->mWatchthis         = $request->getBool( 'wpWatchthis' );
-		$this->mSourceType        = $request->getText( 'wpSourceType' );
+		$this->mSourceType        = $request->getVal( 'wpSourceType', 'file' );
 		$this->mDestWarningAck    = $request->getText( 'wpDestFileWarningAck' );
 
 		$this->mReUpload          = $request->getCheck( 'wpReUpload' ); // retrying upload
 
 		$this->mAction            = $request->getVal( 'action' );
 		$this->mUpload            = UploadBase::createFromRequest( $request );
+		
+		// If it was posted check for the token (no remote POST'ing with user credentials)
+		$token = $request->getVal( 'wpEditToken' );
+		if( $this->mSourceType == 'file' && $token == null ) {
+			// Skip token check for file uploads as that can't be faked via JS...
+			// Some client-side tools don't expect to need to send wpEditToken
+			// with their submissions, as that's new in 1.16.
+			$this->mTokenOk = true;
+		} else {
+			$this->mTokenOk = $wgUser->matchEditToken( $token );
+		}
 	}
 
 	public function userCanExecute( $user ) {