From: Alexandre Emsenhuber <mediawiki@emsenhuber.ch>
Date: Tue, 8 Jul 2014 20:45:14 +0000 (+0200)
Subject: Allow to set a salt for the edit token in HTMLForm
X-Git-Tag: 1.31.0-rc.0~15051^2
X-Git-Url: http://git.cyclocoop.org/%22.%24h.%22?a=commitdiff_plain;h=3de2f5a64d384caab1b79e72586b565658cd1774;p=lhc%2Fweb%2Fwiklou.git

Allow to set a salt for the edit token in HTMLForm

And set one in RevertAction.

Change-Id: I9f72c6203e8d9d0770009083263ddca98845f530
---

diff --git a/includes/actions/RevertAction.php b/includes/actions/RevertAction.php
index cdd139e734..92428cf1eb 100644
--- a/includes/actions/RevertAction.php
+++ b/includes/actions/RevertAction.php
@@ -86,6 +86,7 @@ class RevertFileAction extends FormAction {
 		$form->setWrapperLegendMsg( 'filerevert-legend' );
 		$form->setSubmitTextMsg( 'filerevert-submit' );
 		$form->addHiddenField( 'oldimage', $this->getRequest()->getText( 'oldimage' ) );
+		$form->setTokenSalt( array( 'revert', $this->getTitle()->getPrefixedDBkey() ) );
 	}
 
 	protected function getFormFields() {
diff --git a/includes/htmlform/HTMLForm.php b/includes/htmlform/HTMLForm.php
index b57b69d339..33346948e2 100644
--- a/includes/htmlform/HTMLForm.php
+++ b/includes/htmlform/HTMLForm.php
@@ -171,6 +171,12 @@ class HTMLForm extends ContextSource {
 
 	protected $mWrapperLegend = false;
 
+	/**
+	 * Salt for the edit token.
+	 * @var string|array
+	 */
+	protected $mTokenSalt = '';
+
 	/**
 	 * If true, sections that contain both fields and subsections will
 	 * render their subsections before their fields.
@@ -397,7 +403,7 @@ class HTMLForm extends ContextSource {
 				// Session tokens for logged-out users have no security value.
 				// However, if the user gave one, check it in order to give a nice
 				// "session expired" error instead of "permission denied" or such.
-				$submit = $this->getUser()->matchEditToken( $editToken );
+				$submit = $this->getUser()->matchEditToken( $editToken, $this->mTokenSalt );
 			} else {
 				$submit = true;
 			}
@@ -728,6 +734,21 @@ class HTMLForm extends ContextSource {
 		return $this;
 	}
 
+	/**
+	 * Set the salt for the edit token.
+	 *
+	 * Only useful when the method is "post".
+	 *
+	 * @since 1.24
+	 * @param string|array Salt to use
+	 * @return HTMLForm $this for chaining calls
+	 */
+	public function setTokenSalt( $salt ) {
+		$this->mTokenSalt = $salt;
+
+		return $this;
+	}
+
 	/**
 	 * Display the form (sending to the context's OutputPage object), with an
 	 * appropriate error message or stack of messages, and any validation errors, etc.
@@ -823,7 +844,7 @@ class HTMLForm extends ContextSource {
 		if ( $this->getMethod() == 'post' ) {
 			$html .= Html::hidden(
 				'wpEditToken',
-				$this->getUser()->getEditToken(),
+				$this->getUser()->getEditToken( $this->mTokenSalt ),
 				array( 'id' => 'wpEditToken' )
 			) . "\n";
 			$html .= Html::hidden( 'title', $this->getTitle()->getPrefixedText() ) . "\n";