From: georggi Date: Mon, 28 Nov 2016 20:22:56 +0000 (+0200) Subject: Added warning for improper ending of a token X-Git-Tag: 1.31.0-rc.0~4726^2 X-Git-Url: http://git.cyclocoop.org/%24image?a=commitdiff_plain;h=c406d0746cedf1e9e34d1d8a50361451f44723db;p=lhc%2Fweb%2Fwiklou.git Added warning for improper ending of a token Added warning if token ends with Token::SUFFIX by comparing result of substr to Token::SUFFIX. Simplified Token class calls. Bug: T122280 Change-Id: Id405dcc7b5e4d28995edf334aa6e183efdb749de --- diff --git a/includes/api/ApiCheckToken.php b/includes/api/ApiCheckToken.php index 3d2159cf50..dd88b5fe3a 100644 --- a/includes/api/ApiCheckToken.php +++ b/includes/api/ApiCheckToken.php @@ -22,6 +22,8 @@ * @file */ +use MediaWiki\Session\Token; + /** * @since 1.25 * @ingroup API @@ -39,6 +41,13 @@ class ApiCheckToken extends ApiBase { $tokenObj = ApiQueryTokens::getToken( $this->getUser(), $this->getRequest()->getSession(), $salts[$params['type']] ); + + if ( substr( $token, -strlen( urldecode( Token::SUFFIX ) ) ) === urldecode( Token::SUFFIX ) ) { + $this->setWarning( + "Check that symbols such as \"+\" in the token are properly percent-encoded in the URL." + ); + } + if ( $tokenObj->match( $token, $maxage ) ) { $res['result'] = 'valid'; } elseif ( $maxage !== null && $tokenObj->match( $token ) ) { @@ -47,7 +56,7 @@ class ApiCheckToken extends ApiBase { $res['result'] = 'invalid'; } - $ts = MediaWiki\Session\Token::getTimestamp( $token ); + $ts = Token::getTimestamp( $token ); if ( $ts !== null ) { $mwts = new MWTimestamp(); $mwts->timestamp->setTimestamp( $ts );