From 46619295ebc441e9b814ce15a3ffc26d510276c4 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@users.mediawiki.org>
Date: Mon, 3 Mar 2008 05:45:37 +0000
Subject: [PATCH] Safety fixes for API: * drop user credentials for JSON
 callback output * anticipating future changes, don't report anon edit tokens
 in JSON callback output

---
 includes/api/ApiFormatJson.php | 2 +-
 includes/api/ApiMain.php       | 8 ++++++++
 includes/api/ApiQueryBase.php  | 4 ++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index eae68fb389..22ca6588f2 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -74,7 +74,7 @@ class ApiFormatJson extends ApiFormatBase {
 
 	public function getParamDescription() {
 		return array (
-			'callback' => 'If specified, wraps the output into a given function call',
+			'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.',
 		);
 	}
 
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index f267c7e1eb..0711a245a4 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -118,6 +118,14 @@ class ApiMain extends ApiBase {
 			// If the current user cannot read, 
 			// Remove all modules other than login
 			global $wgUser;
+			
+			if( $request->getVal( 'callback' ) !== null ) {
+				// JSON callback allows cross-site reads.
+				// For safety, strip user credentials.
+				wfDebug( "API: stripping user credentials for JSON callback\n" );
+				$wgUser = new User();
+			}
+			
 			if (!$wgUser->isAllowed('read')) {
 				self::$Modules = array(
 					'login'  => self::$Modules['login'],
diff --git a/includes/api/ApiQueryBase.php b/includes/api/ApiQueryBase.php
index f964ea98d7..98a6ef39df 100644
--- a/includes/api/ApiQueryBase.php
+++ b/includes/api/ApiQueryBase.php
@@ -216,6 +216,10 @@ abstract class ApiQueryBase extends ApiBase {
 	}
 
 	public function getTokenFlag($tokenArr, $action) {
+		if ($this->getMain()->getRequest()->getVal('callback') !== null) {
+			// Don't do any session-specific data.
+			return false;
+		}
 		if (in_array($action, $tokenArr)) {
 			global $wgUser;
 			if ($wgUser->isAllowed($action))
-- 
2.20.1