From 81c291f2658836c83eb45fd958f2e54c854b4d23 Mon Sep 17 00:00:00 2001
From: Chad Horohoe <chadh@wikimedia.org>
Date: Fri, 19 Aug 2016 13:53:52 -0700
Subject: [PATCH] SECURITY: Require login to preview user CSS pages

Anon users have predictable edit tokens, hence someone could
force an anon to execute arbitrary CSS by means of a CSRF.

Bug: T133147
Change-Id: I442b2b46cadb967aaa1f35648eff183fc7eaa475
---
 includes/OutputPage.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index eb3040cd28..8fb3bc2255 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2852,7 +2852,6 @@ class OutputPage extends ContextSource {
 
 	private function isUserJsPreview() {
 		return $this->getConfig()->get( 'AllowUserJs' )
-			&& $this->getUser()->isLoggedIn()
 			&& $this->getTitle()
 			&& $this->getTitle()->isJsSubpage()
 			&& $this->userCanPreview();
@@ -3097,6 +3096,11 @@ class OutputPage extends ContextSource {
 		}
 
 		$user = $this->getUser();
+
+		if ( !$this->getUser()->isLoggedIn() ) {
+			// Anons have predictable edit tokens
+			return false;
+		}
 		if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
 			return false;
 		}
-- 
2.20.1