From: Brion Vibber Date: Thu, 15 Nov 2007 04:24:49 +0000 (+0000) Subject: Revert r27151 -- allows session fixation attacks. X-Git-Tag: 1.31.0-rc.0~50866 X-Git-Url: http://git.cyclocoop.org/%28?a=commitdiff_plain;h=3ca6cf78901faac586c97f4f8d13f63524aaf2da;p=lhc%2Fweb%2Fwiklou.git Revert r27151 -- allows session fixation attacks. Just get a user to visit a URL with the user ID and token you like in the query string (say, in an referenced in a page you convince them to go to or post for their review) and their login session will be replaced with the one you provided. --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 00fec8dad3..3976ea4d85 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -181,7 +181,6 @@ Full API documentation is available at http://www.mediawiki.org/wiki/API * (bug 11721) Use a different title for results than for the help page. * (bug 11562) Added a user_registration parameter/field to the list=allusers query. * (bug 11588) Preserve document structure for empty dataset in backlinks query. -* Allow staying logged in through lg* parameters instead of cookies * Outputting list of all user preferences rather than having to request them by name === Languages updated in 1.12 === diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php index 31be273397..851b531441 100644 --- a/includes/api/ApiLogin.php +++ b/includes/api/ApiLogin.php @@ -104,6 +104,7 @@ class ApiLogin extends ApiBase { $result['lgusername'] = $_SESSION['wsUserName']; $result['lgtoken'] = $_SESSION['wsToken']; $result['cookieprefix'] = $wgCookiePrefix; + $result['sessionid'] = $_COOKIE["{$wgCookiePrefix}_session"]; break; case LoginForm :: NO_NAME : diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index ccfa9fa222..406d23a018 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -88,24 +88,11 @@ class ApiMain extends ApiBase { * @param $enableWrite bool should be set to true if the api may modify data */ public function __construct($request, $enableWrite = false) { - global $wgRequest, $wgUser; $this->mInternalMode = ($request instanceof FauxRequest); // Special handling for the main module: $parent === $this parent :: __construct($this, $this->mInternalMode ? 'main_int' : 'main'); - - // Check if request has cookie-like variables, and set them - if( ($request->getVal('lgtoken')) && ($request->getVal('lgusername')) && ($request->getVal('lguserid')) ) { - - // Got variables, set cookies. - $_SESSION['wsUserID'] = $request->getVal('lguserid'); - $_SESSION['wsUserName'] = $request->getVal('lgusername'); - $_SESSION['wsToken'] = $request->getVal('lgtoken'); - - // Reinitialize $wgUser from session data - $wgUser = User::newFromSession(); - } if (!$this->mInternalMode) {