SECURITY: Do not allow user scripts on Special:PasswordReset

[lhc/web/wiklou.git] / includes / specials / SpecialPasswordReset.php

diff --git a/includes/specials/SpecialPasswordReset.php b/includes/specials/SpecialPasswordReset.php
index 7ea9ba0..63490e4 100644 (file)
--- a/includes/specials/SpecialPasswordReset.php
+++ b/includes/specials/SpecialPasswordReset.php
@@ -21,7 +21,7 @@
  * @ingroup SpecialPage
  */
 
-use MediaWiki\Auth\AuthManager;
+use MediaWiki\MediaWikiServices;
 
 /**
  * Special page for requesting a password reset email.
@@ -52,7 +52,7 @@ class SpecialPasswordReset extends FormSpecialPage {
 
        private function getPasswordReset() {
                if ( $this->passwordReset === null ) {
-                       $this->passwordReset = new PasswordReset( $this->getConfig(), AuthManager::singleton() );
+                       $this->passwordReset = MediaWikiServices::getInstance()->getPasswordReset();
                }
                return $this->passwordReset;
        }
@@ -74,12 +74,22 @@ class SpecialPasswordReset extends FormSpecialPage {
                parent::checkExecutePermissions( $user );
        }
 
+       /**
+        * @param string $par
+        */
+       public function execute( $par ) {
+               $out = $this->getOutput();
+               $out->disallowUserJs();
+               parent::execute( $par );
+       }
+
        protected function getFormFields() {
                $resetRoutes = $this->getConfig()->get( 'PasswordResetRoutes' );
                $a = [];
                if ( isset( $resetRoutes['username'] ) && $resetRoutes['username'] ) {
                        $a['Username'] = [
-                               'type' => 'user',
+                               'type' => 'text',
+                               'default' => $this->getRequest()->getSession()->suggestLoginUsername(),
                                'label-message' => 'passwordreset-username',
                        ];