allow page titles to be enumerated even when they are not guessable.
* (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis.
* request.
*/
function performAction() {
- global $wgAjaxExportList, $wgOut;
+ global $wgAjaxExportList, $wgOut, $wgUser;
if ( empty( $this->mode ) ) {
return;
'Bad Request',
"unknown function " . (string) $this->func_name
);
+ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
+ && !$wgUser->isAllowed( 'read' ) )
+ {
+ wfHttpError(
+ 403,
+ 'Forbidden',
+ 'You must log in to view pages.' );
} else {
wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
|| ( isset( $wgGroupPermissions['autoconfirmed'][$action] ) && $wgGroupPermissions['autoconfirmed'][$action] ) )
) {
$displayReturnto = null;
- $returnto = $this->getTitle();
+
+ # Due to bug 32276, if a user does not have read permissions,
+ # $this->getTitle() will just give Special:Badtitle, which is
+ # not especially useful as a returnto parameter. Use the title
+ # from the request instead, if there was one.
+ $request = $this->getRequest();
+ $returnto = Title::newFromURL( $request->getVal( 'title', '' ) );
if ( $action == 'edit' ) {
$msg = 'whitelistedittext';
$displayReturnto = $returnto;
}
$query = array();
+
if ( $returnto ) {
$query['returnto'] = $returnto->getPrefixedText();
- $request = $this->getRequest();
+
if ( !$request->wasPosted() ) {
$returntoquery = $request->getValues();
unset( $returntoquery['title'] );
/* set up the default links for the personal toolbar */
$personal_urls = array();
- $page = $request->getVal( 'returnto', $this->thispage );
- $query = $request->getVal( 'returntoquery', $this->thisquery );
- $a = array( 'returnto' => $page );
- if( $query != '' ) {
- $a['returntoquery'] = $query;
+ # Due to bug 32276, if a user does not have read permissions,
+ # $this->getTitle() will just give Special:Badtitle, which is
+ # not especially useful as a returnto parameter. Use the title
+ # from the request instead, if there was one.
+ $page = Title::newFromURL( $request->getVal( 'title', '' ) );
+ $page = $request->getVal( 'returnto', $page );
+ $a = array();
+ if ( strval( $page ) !== '' ) {
+ $a['returnto'] = $page;
+ $query = $request->getVal( 'returntoquery', $this->thisquery );
+ if( $query != '' ) {
+ $a['returntoquery'] = $query;
+ }
}
$returnto = wfArrayToCGI( $a );
if( $this->loggedin ) {
* @return void
*/
private function performRequest() {
- global $wgServer, $wgUsePathInfo;
+ global $wgServer, $wgUsePathInfo, $wgTitle;
wfProfileIn( __METHOD__ );
// We will check again in Article::view().
$permErrors = $title->getUserPermissionsErrors( 'read', $user );
if ( count( $permErrors ) ) {
+ // Bug 32276: allowing the skin to generate output with $wgTitle or
+ // $this->context->title set to the input title would allow anonymous users to
+ // determine whether a page exists, potentially leaking private data. In fact, the
+ // curid and oldid request parameters would allow page titles to be enumerated even
+ // when they are not guessable. So we reset the title to Special:Badtitle before the
+ // permissions error is displayed.
+ //
+ // The skin mostly uses $this->context->getTitle() these days, but some extensions
+ // still use $wgTitle.
+
+ $badTitle = SpecialPage::getTitleFor( 'Badtitle' );
+ $this->context->setTitle( $badTitle );
+ $wgTitle = $badTitle;
+
wfProfileOut( __METHOD__ );
throw new PermissionsError( 'read', $permErrors );
}