From: Chad Horohoe <chadh@wikimedia.org>
Date: Fri, 19 Aug 2016 20:53:52 +0000 (-0700)
Subject: SECURITY: Require login to preview user CSS pages
X-Git-Tag: 1.31.0-rc.0~5955
X-Git-Url: http://git.cyclocoop.org/%40spipnet%40?a=commitdiff_plain;h=81c291f2658836c83eb45fd958f2e54c854b4d23;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Require login to preview user CSS pages

Anon users have predictable edit tokens, hence someone could
force an anon to execute arbitrary CSS by means of a CSRF.

Bug: T133147
Change-Id: I442b2b46cadb967aaa1f35648eff183fc7eaa475
---

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index eb3040cd28..8fb3bc2255 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2852,7 +2852,6 @@ class OutputPage extends ContextSource {
 
 	private function isUserJsPreview() {
 		return $this->getConfig()->get( 'AllowUserJs' )
-			&& $this->getUser()->isLoggedIn()
 			&& $this->getTitle()
 			&& $this->getTitle()->isJsSubpage()
 			&& $this->userCanPreview();
@@ -3097,6 +3096,11 @@ class OutputPage extends ContextSource {
 		}
 
 		$user = $this->getUser();
+
+		if ( !$this->getUser()->isLoggedIn() ) {
+			// Anons have predictable edit tokens
+			return false;
+		}
 		if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
 			return false;
 		}