global $wgUser;
if( $wgUser->isAnon() ) {
# Anonymous users may not have a session
- # open. Don't tokenize.
- $this->mTokenOk = true;
+ # open. Check for suffix anyway.
+ $this->mTokenOk = ( EDIT_TOKEN_SUFFIX == $request->getVal( 'wpEditToken' ) );
} else {
$this->mTokenOk = $wgUser->matchEditToken( $request->getVal( 'wpEditToken' ) );
}
</div>
" );
- if ( $wgUser->isLoggedIn() ) {
- /**
- * To make it harder for someone to slip a user a page
- * which submits an edit form to the wiki without their
- * knowledge, a random token is associated with the login
- * session. If it's not passed back with the submission,
- * we won't save the page, or render user JavaScript and
- * CSS previews.
- */
+ /**
+ * To make it harder for someone to slip a user a page
+ * which submits an edit form to the wiki without their
+ * knowledge, a random token is associated with the login
+ * session. If it's not passed back with the submission,
+ * we won't save the page, or render user JavaScript and
+ * CSS previews.
+ *
+ * For anon editors, who may not have a session, we just
+ * include the constant suffix to prevent editing from
+ * broken text-mangling proxies.
+ */
+ if ( $wgUser->isLoggedIn() )
$token = htmlspecialchars( $wgUser->editToken() );
- $wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
- }
+ else
+ $token = EDIT_TOKEN_SUFFIX;
+ $wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
+
# If a blank edit summary was previously provided, and the appropriate
# user preference is active, pass a hidden tag here. This will stop the
# Serialized record version
define( 'MW_USER_VERSION', 4 );
+# Some punctuation to prevent editing from broken text-mangling proxies.
+# FIXME: this is embedded unescaped into HTML attributes in various
+# places, so we can't safely include ' or " even though we really should.
+define( 'EDIT_TOKEN_SUFFIX', '\\' );
+
/**
*
* @package MediaWiki
if( is_array( $salt ) ) {
$salt = implode( '|', $salt );
}
- return md5( $token . $salt );
+ return md5( $token . $salt ) . EDIT_TOKEN_SUFFIX;
}
/**