Include a backslash character in wpEditToken to prevent editing from broken

proxies that mangle such characters.  Not only is editing from open proxies
generally frowned upon on Wikimedia projects, but more importantly, these
particular proxies tend to break wiki markup in submitted content.  These
really are not edits we want to let through.

Yes, this is a hack.  We may eventually want to explicitly check for this
condition and provide a more informative response, but even so this would
still remain a useful fallback check just in case.

diff --git a/includes/EditPage.php b/includes/EditPage.php
index d3ae6bf..0d6f34b 100644 (file)
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -556,8 +556,8 @@ class EditPage {
                global $wgUser;
                if( $wgUser->isAnon() ) {
                        # Anonymous users may not have a session
-                       # open. Don't tokenize.
-                       $this->mTokenOk = true;
+                       # open. Check for suffix anyway.
+                       $this->mTokenOk = ( EDIT_TOKEN_SUFFIX == $request->getVal( 'wpEditToken' ) );
                } else {
                        $this->mTokenOk = $wgUser->matchEditToken( $request->getVal( 'wpEditToken' ) );
                }
@@ -1247,18 +1247,24 @@ END
 </div>
 " );
 
-               if ( $wgUser->isLoggedIn() ) {
-                       /**
-                        * To make it harder for someone to slip a user a page
-                        * which submits an edit form to the wiki without their
-                        * knowledge, a random token is associated with the login
-                        * session. If it's not passed back with the submission,
-                        * we won't save the page, or render user JavaScript and
-                        * CSS previews.
-                        */
+               /**
+                * To make it harder for someone to slip a user a page
+                * which submits an edit form to the wiki without their
+                * knowledge, a random token is associated with the login
+                * session. If it's not passed back with the submission,
+                * we won't save the page, or render user JavaScript and
+                * CSS previews.
+                *
+                * For anon editors, who may not have a session, we just
+                * include the constant suffix to prevent editing from
+                * broken text-mangling proxies.
+                */
+               if ( $wgUser->isLoggedIn() )
                        $token = htmlspecialchars( $wgUser->editToken() );
-                       $wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
-               }
+               else
+                       $token = EDIT_TOKEN_SUFFIX;
+               $wgOut->addHTML( "\n<input type='hidden' value=\"$token\" name=\"wpEditToken\" />\n" );
+
 
                # If a blank edit summary was previously provided, and the appropriate
                # user preference is active, pass a hidden tag here. This will stop the

diff --git a/includes/User.php b/includes/User.php
index 73742f5..92381e7 100644 (file)
--- a/includes/User.php
+++ b/includes/User.php
@@ -11,6 +11,11 @@ define( 'USER_TOKEN_LENGTH', 32 );
 # Serialized record version
 define( 'MW_USER_VERSION', 4 );
 
+# Some punctuation to prevent editing from broken text-mangling proxies.
+# FIXME: this is embedded unescaped into HTML attributes in various
+# places, so we can't safely include ' or " even though we really should.
+define( 'EDIT_TOKEN_SUFFIX', '\\' );
+
 /**
  *
  * @package MediaWiki
@@ -2093,7 +2098,7 @@ class User {
                if( is_array( $salt ) ) {
                        $salt = implode( '|', $salt );
                }
-               return md5( $token . $salt );
+               return md5( $token . $salt ) . EDIT_TOKEN_SUFFIX;
        }
 
        /**