From c406d0746cedf1e9e34d1d8a50361451f44723db Mon Sep 17 00:00:00 2001
From: georggi <bmp2558@gmail.com>
Date: Mon, 28 Nov 2016 22:22:56 +0200
Subject: [PATCH] Added warning for improper ending of a token

Added warning if token ends with Token::SUFFIX by comparing result of substr to Token::SUFFIX.
Simplified Token class calls.

Bug: T122280
Change-Id: Id405dcc7b5e4d28995edf334aa6e183efdb749de
---
 includes/api/ApiCheckToken.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiCheckToken.php b/includes/api/ApiCheckToken.php
index 3d2159cf50..dd88b5fe3a 100644
--- a/includes/api/ApiCheckToken.php
+++ b/includes/api/ApiCheckToken.php
@@ -22,6 +22,8 @@
  * @file
  */
 
+use MediaWiki\Session\Token;
+
 /**
  * @since 1.25
  * @ingroup API
@@ -39,6 +41,13 @@ class ApiCheckToken extends ApiBase {
 		$tokenObj = ApiQueryTokens::getToken(
 			$this->getUser(), $this->getRequest()->getSession(), $salts[$params['type']]
 		);
+
+		if ( substr( $token, -strlen( urldecode( Token::SUFFIX ) ) ) === urldecode( Token::SUFFIX ) ) {
+			$this->setWarning(
+				"Check that symbols such as \"+\" in the token are properly percent-encoded in the URL."
+			);
+		}
+
 		if ( $tokenObj->match( $token, $maxage ) ) {
 			$res['result'] = 'valid';
 		} elseif ( $maxage !== null && $tokenObj->match( $token ) ) {
@@ -47,7 +56,7 @@ class ApiCheckToken extends ApiBase {
 			$res['result'] = 'invalid';
 		}
 
-		$ts = MediaWiki\Session\Token::getTimestamp( $token );
+		$ts = Token::getTimestamp( $token );
 		if ( $ts !== null ) {
 			$mwts = new MWTimestamp();
 			$mwts->timestamp->setTimestamp( $ts );
-- 
2.20.1