From: Brian Wolff <bawolff+wn@gmail.com>
Date: Tue, 27 Oct 2015 08:31:00 +0000 (-0600)
Subject: SECURITY: Add data attribute to patrol links so it can't be spoofed by user
X-Git-Tag: 1.31.0-rc.0~6889
X-Git-Url: http://git.cyclocoop.org/%22%20.%20generer_url_ecrire%28%22auteur_infos%22%2C%20%22id_auteur=%24id%22%29%20.%20%22?a=commitdiff_plain;h=17b36599950e57cf852fba672435f7686237bb30;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Add data attribute to patrol links so it can't be spoofed by user

Javascript used to look just for the patrollinks class, which
could be set by the user in order to patrol an arbitrary page.

Bug: T103239
Change-Id: I13fcc3ce479c0a4a90a6217c2e5244f051eaf862

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
---

diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php
index e2345ca2ba..caef7f162d 100644
--- a/includes/diff/DifferenceEngine.php
+++ b/includes/diff/DifferenceEngine.php
@@ -474,7 +474,7 @@ class DifferenceEngine extends ContextSource {
 			if ( !$linkInfo ) {
 				$this->mMarkPatrolledLink = '';
 			} else {
-				$this->mMarkPatrolledLink = ' <span class="patrollink">[' . Linker::linkKnown(
+				$this->mMarkPatrolledLink = ' <span class="patrollink" data-mw="interface">[' . Linker::linkKnown(
 					$this->mNewPage,
 					$this->msg( 'markaspatrolleddiff' )->escaped(),
 					[],
diff --git a/includes/page/Article.php b/includes/page/Article.php
index 4c9eaedce4..eccf36fefb 100644
--- a/includes/page/Article.php
+++ b/includes/page/Article.php
@@ -1216,7 +1216,7 @@ class Article implements Page {
 		);
 
 		$outputPage->addHTML(
-			"<div class='patrollink'>" .
+			"<div class='patrollink' data-mw='interface'>" .
 				wfMessage( 'markaspatrolledlink' )->rawParams( $link )->escaped() .
 			'</div>'
 		);
diff --git a/resources/src/mediawiki/page/patrol.ajax.js b/resources/src/mediawiki/page/patrol.ajax.js
index ec68b3c935..e78bd4e1be 100644
--- a/resources/src/mediawiki/page/patrol.ajax.js
+++ b/resources/src/mediawiki/page/patrol.ajax.js
@@ -12,7 +12,7 @@
 		return;
 	}
 	$( function () {
-		var $patrolLinks = $( '.patrollink a' );
+		var $patrolLinks = $( '.patrollink[data-mw="interface"] a' );
 		$patrolLinks.on( 'click', function ( e ) {
 			var $spinner, rcid, apiRequest;