From 17b36599950e57cf852fba672435f7686237bb30 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Tue, 27 Oct 2015 02:31:00 -0600
Subject: [PATCH] SECURITY: Add data attribute to patrol links so it can't be
 spoofed by user

Javascript used to look just for the patrollinks class, which
could be set by the user in order to patrol an arbitrary page.

Bug: T103239
Change-Id: I13fcc3ce479c0a4a90a6217c2e5244f051eaf862

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
---
 includes/diff/DifferenceEngine.php          | 2 +-
 includes/page/Article.php                   | 2 +-
 resources/src/mediawiki/page/patrol.ajax.js | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/diff/DifferenceEngine.php b/includes/diff/DifferenceEngine.php
index e2345ca2ba..caef7f162d 100644
--- a/includes/diff/DifferenceEngine.php
+++ b/includes/diff/DifferenceEngine.php
@@ -474,7 +474,7 @@ class DifferenceEngine extends ContextSource {
 			if ( !$linkInfo ) {
 				$this->mMarkPatrolledLink = '';
 			} else {
-				$this->mMarkPatrolledLink = ' <span class="patrollink">[' . Linker::linkKnown(
+				$this->mMarkPatrolledLink = ' <span class="patrollink" data-mw="interface">[' . Linker::linkKnown(
 					$this->mNewPage,
 					$this->msg( 'markaspatrolleddiff' )->escaped(),
 					[],
diff --git a/includes/page/Article.php b/includes/page/Article.php
index 4c9eaedce4..eccf36fefb 100644
--- a/includes/page/Article.php
+++ b/includes/page/Article.php
@@ -1216,7 +1216,7 @@ class Article implements Page {
 		);
 
 		$outputPage->addHTML(
-			"<div class='patrollink'>" .
+			"<div class='patrollink' data-mw='interface'>" .
 				wfMessage( 'markaspatrolledlink' )->rawParams( $link )->escaped() .
 			'</div>'
 		);
diff --git a/resources/src/mediawiki/page/patrol.ajax.js b/resources/src/mediawiki/page/patrol.ajax.js
index ec68b3c935..e78bd4e1be 100644
--- a/resources/src/mediawiki/page/patrol.ajax.js
+++ b/resources/src/mediawiki/page/patrol.ajax.js
@@ -12,7 +12,7 @@
 		return;
 	}
 	$( function () {
-		var $patrolLinks = $( '.patrollink a' );
+		var $patrolLinks = $( '.patrollink[data-mw="interface"] a' );
 		$patrolLinks.on( 'click', function ( e ) {
 			var $spinner, rcid, apiRequest;
 
-- 
2.20.1