Revert r27151 -- allows session fixation attacks.

Just get a user to visit a URL with the user ID and token you like in the query string (say, in an <img> referenced in a page you convince them to go to or post for their review) and their login session will be replaced with the one you provided.

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 00fec8d..3976ea4 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -181,7 +181,6 @@ Full API documentation is available at http://www.mediawiki.org/wiki/API
 * (bug 11721) Use a different title for results than for the help page.
 * (bug 11562) Added a user_registration parameter/field to the list=allusers query.
 * (bug 11588) Preserve document structure for empty dataset in backlinks query.
-* Allow staying logged in through lg* parameters instead of cookies
 * Outputting list of all user preferences rather than having to request them by name
 
 === Languages updated in 1.12 ===

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 31be273..851b531 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -104,6 +104,7 @@ class ApiLogin extends ApiBase {
                                $result['lgusername'] = $_SESSION['wsUserName'];
                                $result['lgtoken'] = $_SESSION['wsToken'];
                                $result['cookieprefix'] = $wgCookiePrefix;
+                               $result['sessionid'] = $_COOKIE["{$wgCookiePrefix}_session"];
                                break;
 
                        case LoginForm :: NO_NAME :

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index ccfa9fa..406d23a 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -88,24 +88,11 @@ class ApiMain extends ApiBase {
        * @param $enableWrite bool should be set to true if the api may modify data
        */
        public function __construct($request, $enableWrite = false) {
-               global $wgRequest, $wgUser; 
 
                $this->mInternalMode = ($request instanceof FauxRequest);
 
                // Special handling for the main module: $parent === $this
                parent :: __construct($this, $this->mInternalMode ? 'main_int' : 'main');
-               
-               // Check if request has cookie-like variables, and set them
-               if( ($request->getVal('lgtoken')) && ($request->getVal('lgusername')) && ($request->getVal('lguserid')) ) {
-                       
-                       // Got variables, set cookies. 
-                       $_SESSION['wsUserID'] = $request->getVal('lguserid');
-                       $_SESSION['wsUserName'] = $request->getVal('lgusername');
-                       $_SESSION['wsToken'] = $request->getVal('lgtoken');
-                       
-                       // Reinitialize $wgUser from session data
-                       $wgUser = User::newFromSession();                       
-               } 
 
                if (!$this->mInternalMode) {