From 55035e01e591b7bba373267e3ea5f0c0dad9b949 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Mon, 13 Jun 2016 03:07:48 -0400 Subject: [PATCH] SECURITY: Do not allow users to undelete a page they can't edit or create If the page exists, it only checks edit rights, otherwise it checks both edit and create rights. This would only matter on wikis that have a non-default rights configuration where there are users with undelete rights but a restriction level enabled that prevents them from creating/editing pages (or they otherwise aren't allowed to edit/create) It should be noted that the error messages aren't used in the normal UI currently, but they could be in the future, and extensions could potentially be using them (The backend functions return them, but the UI functions in Special:Undelete ignore them) Bug: T108138 Change-Id: I164b80534cf89e0afca264e9de07431484af8508 --- RELEASE-NOTES-1.29 | 2 ++ includes/Title.php | 11 +++++++++++ includes/api/ApiUndelete.php | 5 ++++- languages/i18n/en.json | 4 +++- languages/i18n/qqq.json | 4 +++- 5 files changed, 23 insertions(+), 3 deletions(-) diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29 index b835eb5470..4b7de886a9 100644 --- a/RELEASE-NOTES-1.29 +++ b/RELEASE-NOTES-1.29 @@ -103,6 +103,8 @@ production. in it's fallback chain when trying to work out where to write the cache. * (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter. +* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against + it. === Action API changes in 1.29 === * Submitting sensitive authentication request parameters to action=login, diff --git a/includes/Title.php b/includes/Title.php index f1cf81f91f..0db4094f7f 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -2316,6 +2316,17 @@ class Title implements LinkTarget { ) { $errors[] = [ 'delete-toobig', $wgLang->formatNum( $wgDeleteRevisionsLimit ) ]; } + } elseif ( $action === 'undelete' ) { + if ( count( $this->getUserPermissionsErrorsInternal( 'edit', $user, $rigor, true ) ) ) { + // Undeleting implies editing + $errors[] = [ 'undelete-cantedit' ]; + } + if ( !$this->exists() + && count( $this->getUserPermissionsErrorsInternal( 'create', $user, $rigor, true ) ) + ) { + // Undeleting where nothing currently exists implies creating + $errors[] = [ 'undelete-cantcreate' ]; + } } return $errors; } diff --git a/includes/api/ApiUndelete.php b/includes/api/ApiUndelete.php index 952e0087c8..3aa7b608dc 100644 --- a/includes/api/ApiUndelete.php +++ b/includes/api/ApiUndelete.php @@ -33,7 +33,6 @@ class ApiUndelete extends ApiBase { $this->useTransactionalTimeLimit(); $params = $this->extractRequestParams(); - $this->checkUserRightsAny( 'undelete' ); $user = $this->getUser(); if ( $user->isBlocked() ) { @@ -45,6 +44,10 @@ class ApiUndelete extends ApiBase { $this->dieWithError( [ 'apierror-invalidtitle', wfEscapeWikiText( $params['title'] ) ] ); } + if ( !$titleObj->userCan( 'undelete', $user, 'secure' ) ) { + $this->dieWithError( 'permdenied-undelete' ); + } + // Check if user can add tags if ( !is_null( $params['tags'] ) ) { $ableToTag = ChangeTags::canAddTagsAccompanyingChange( $params['tags'], $user ); diff --git a/languages/i18n/en.json b/languages/i18n/en.json index a44ff92ee2..d4196b0162 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -4291,5 +4291,7 @@ "rawhtml-notallowed": "<html> tags cannot be used outside of normal pages.", "gotointerwiki": "Leaving {{SITENAME}}", "gotointerwiki-invalid": "The specified title was invalid.", - "gotointerwiki-external": "You are about to leave {{SITENAME}} to visit [[$2]] which is a separate website.\n\n[$1 Click here to continue on to $1]." + "gotointerwiki-external": "You are about to leave {{SITENAME}} to visit [[$2]] which is a separate website.\n\n[$1 Click here to continue on to $1].", + "undelete-cantedit": "You cannot undelete this page as you are not allowed to edit this page.", + "undelete-cantcreate": "You cannot undelete this page as there is no existing page with this name and you are not allowed to create this page." } diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json index 5adfecdb16..fc1994b0dd 100644 --- a/languages/i18n/qqq.json +++ b/languages/i18n/qqq.json @@ -4478,5 +4478,7 @@ "rawhtml-notallowed": "Error message given when $wgRawHtml = true; is set and a user uses an <html> tag in a system message or somewhere other than a normal page.", "gotointerwiki": "{{doc-special|GoToInterwiki}}\n\nSpecial:GoToInterwiki is a warning page displayed before redirecting users to external interwiki links. Its triggered by people going to something like [[Special:Search/google:foo]].", "gotointerwiki-invalid": "Message shown on Special:GoToInterwiki if given an invalid title.", - "gotointerwiki-external": "Message shown on Special:GoToInterwiki if given a external interwiki link (e.g. [[Special:GoToInterwiki/Google:Foo]]). $1 is the full url the user is trying to get to. $2 is the text of the interwiki link (e.g. \"Google:foo\")." + "gotointerwiki-external": "Message shown on Special:GoToInterwiki if given a external interwiki link (e.g. [[Special:GoToInterwiki/Google:Foo]]). $1 is the full url the user is trying to get to. $2 is the text of the interwiki link (e.g. \"Google:foo\").", + "undelete-cantedit": "Shown if the user tries to undelete a page that they cannot edit", + "undelete-cantcreate": "Shown if the user tries to undelete a page which currently does not exist, and they are not allowed to create it. This could for example happen on a wiki with custom protection levels where the page name has been create-protected and the user has the right to undelete but not the right to edit protected pages." } -- 2.20.1