From c2ce6a1b6085cf0cbf0fc2c3542fd36096bf2948 Mon Sep 17 00:00:00 2001
From: Aaron Schulz <aschulz@wikimedia.org>
Date: Thu, 12 May 2016 12:52:00 -0700
Subject: [PATCH] Require POST for action=purge in PurgeAction

For the index.php end point, POSTs do not need a token.

This avoids cross-DC writes in active/active DC setups and
avoids DB writes that can be caused by just accidentally
following a link.

There are no links to action=purge by default in MediaWiki.
User scripts that create purge links will continue to work.
However these links will now point to a confirmation form.
To preserve the immediate-purge-redirect effect, these
scripts should be updated to use the API instead.

Bug: T135170
Change-Id: I5749ff470d99c5e3f22e05ff6856394cc05a0f48
---
 includes/DefaultSettings.php     |  2 +-
 includes/FeedUtils.php           |  1 +
 includes/actions/PurgeAction.php | 15 ++-------------
 3 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 8363b3254b..2ac31bf5ad 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -5051,7 +5051,7 @@ $wgGroupPermissions['user']['upload'] = true;
 $wgGroupPermissions['user']['reupload'] = true;
 $wgGroupPermissions['user']['reupload-shared'] = true;
 $wgGroupPermissions['user']['minoredit'] = true;
-$wgGroupPermissions['user']['purge'] = true; // can use ?action=purge without clicking "ok"
+$wgGroupPermissions['user']['purge'] = true;
 $wgGroupPermissions['user']['sendemail'] = true;
 $wgGroupPermissions['user']['applychangetags'] = true;
 $wgGroupPermissions['user']['changetags'] = true;
diff --git a/includes/FeedUtils.php b/includes/FeedUtils.php
index d7dbd2292e..071a3db98f 100644
--- a/includes/FeedUtils.php
+++ b/includes/FeedUtils.php
@@ -39,6 +39,7 @@ class FeedUtils {
 		global $wgRequest, $wgUser;
 
 		$purge = $wgRequest->getVal( 'action' ) === 'purge';
+		// Allow users with 'purge' right to clear feed caches
 		if ( $purge && $wgUser->isAllowed( 'purge' ) ) {
 			$cache = ObjectCache::getMainWANInstance();
 			$cache->delete( $timekey, 1 );
diff --git a/includes/actions/PurgeAction.php b/includes/actions/PurgeAction.php
index 576533d3b7..b2002ffae9 100644
--- a/includes/actions/PurgeAction.php
+++ b/includes/actions/PurgeAction.php
@@ -21,10 +21,7 @@
  */
 
 /**
- * User-requested page cache purging.
- *
- * For users with 'purge', this will directly trigger the cache purging and
- * for users without that right, it will show a confirmation form.
+ * User-requested page cache purging
  *
  * @ingroup Actions
  */
@@ -48,10 +45,6 @@ class PurgeAction extends FormAction {
 		return $this->page->doPurge();
 	}
 
-	/**
-	 * purge is slightly weird because it can be either formed or formless depending
-	 * on user permissions
-	 */
 	public function show() {
 		$this->setHeaders();
 
@@ -65,11 +58,7 @@ class PurgeAction extends FormAction {
 			return;
 		}
 
-		if ( $user->isAllowed( 'purge' ) ) {
-			// This will update the database immediately, even on HTTP GET.
-			// Lots of uses may exist for this feature, so just ignore warnings.
-			Profiler::instance()->getTransactionProfiler()->resetExpectations();
-
+		if ( $this->getRequest()->wasPosted() ) {
 			$this->redirectParams = wfArrayToCgi( array_diff_key(
 				$this->getRequest()->getQueryValues(),
 				[ 'title' => null, 'action' => null ]
-- 
2.20.1