From 08381893919dab0f330dd2b3cc12759a1a99e0d1 Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Mon, 31 Oct 2016 13:41:17 -0400 Subject: [PATCH] API: Error if sensitive AuthManager parameters are in the query string There was only 1 hit in the feature usage log in the past 30 days for this code path, so this should be good to go. ApiLogin, on the other hand, received 27048 hits over the same time period. So let's not do that one just yet. Change-Id: I1ae3b928fda9ddc94c8182155637920713dd404d --- RELEASE-NOTES-1.29 | 4 ++++ includes/api/ApiAuthManagerHelper.php | 8 +------- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29 index 6c5380942b..5a38cf91a2 100644 --- a/RELEASE-NOTES-1.29 +++ b/RELEASE-NOTES-1.29 @@ -20,6 +20,10 @@ production. === Bug fixes in 1.29 === === Action API changes in 1.29 === +* Submitting sensitive authentication request parameters to action=clientlogin, + action=createaccount, action=linkaccount, and action=changeauthenticationdata + in the query string is now an error. They should be submitted in the POST + body instead. === Action API internal changes in 1.29 === diff --git a/includes/api/ApiAuthManagerHelper.php b/includes/api/ApiAuthManagerHelper.php index 1a42ccce9e..6fafebff3b 100644 --- a/includes/api/ApiAuthManagerHelper.php +++ b/includes/api/ApiAuthManagerHelper.php @@ -173,13 +173,7 @@ class ApiAuthManagerHelper { $this->module->getMain()->markParamsUsed( array_keys( $data ) ); if ( $sensitive ) { - try { - $this->module->requirePostedParameters( array_keys( $sensitive ), 'noprefix' ); - } catch ( UsageException $ex ) { - // Make this a warning for now, upgrade to an error in 1.29. - $this->module->setWarning( $ex->getMessage() ); - $this->module->logFeatureUsage( $this->module->getModuleName() . '-params-in-query-string' ); - } + $this->module->requirePostedParameters( array_keys( $sensitive ), 'noprefix' ); } return AuthenticationRequest::loadRequestsFromSubmission( $reqs, $data ); -- 2.20.1