From: Aaron Schulz <aschulz@wikimedia.org>
Date: Thu, 3 Sep 2015 00:02:38 +0000 (-0700)
Subject: Default the "watchlisttoken" value to a derived HMAC value
X-Git-Tag: 1.31.0-rc.0~10096^2
X-Git-Url: http://git.cyclocoop.org/clavettes/images/siteon3.jpg?a=commitdiff_plain;h=cd027382e0a57de318ac851c958e9f4cf65a56ea;p=lhc%2Fweb%2Fwiklou.git

Default the "watchlisttoken" value to a derived HMAC value

* This got created if unset on API or GUI preferences access,
  which leads to writes on GET requests. Try to avoid that
  deriving it from user_token, unless overriden. This also
  means that changing the password always resets the key,
  which is how these things work on most sites anyway.
* The whole getTokenFromOption() method is deprecated, and
  this functionality is already in OAuth.

Bug: T92357
Change-Id: I96c0d6f6e535e67545049f01205430249eea8da0
---

diff --git a/RELEASE-NOTES-1.26 b/RELEASE-NOTES-1.26
index 6dcf9195a1..9b93740713 100644
--- a/RELEASE-NOTES-1.26
+++ b/RELEASE-NOTES-1.26
@@ -166,6 +166,9 @@ changes to languages because of Phabricator reports.
   a lengthy deprecation period.
 * The ScopedPHPTimeout class was removed.
 * Removed maintenance script fixSlaveDesync.php.
+* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
+  are deprecated. Applications using those can work via the OAuth
+  extension instead. New tokens types should not be added.
 
 == Compatibility ==
 
diff --git a/includes/User.php b/includes/User.php
index 9b958f42dd..4276a7d1c3 100644
--- a/includes/User.php
+++ b/includes/User.php
@@ -2438,6 +2438,7 @@ class User implements IDBAccessObject {
 	 */
 	public function setInternalPassword( $str ) {
 		$this->setToken();
+		$this->setOption( 'watchlisttoken', false );
 
 		$passwordFactory = self::getPasswordFactory();
 		$this->mPassword = $passwordFactory->newFromPlaintext( $str );
@@ -2715,20 +2716,24 @@ class User implements IDBAccessObject {
 	 * @return string|bool User's current value for the option, or false if this option is disabled.
 	 * @see resetTokenFromOption()
 	 * @see getOption()
+	 * @deprecated 1.26 Applications should use the OAuth extension
 	 */
 	public function getTokenFromOption( $oname ) {
 		global $wgHiddenPrefs;
-		if ( in_array( $oname, $wgHiddenPrefs ) ) {
+
+		$id = $this->getId();
+		if ( !$id || in_array( $oname, $wgHiddenPrefs ) ) {
 			return false;
 		}
 
 		$token = $this->getOption( $oname );
 		if ( !$token ) {
-			$token = $this->resetTokenFromOption( $oname );
-			if ( !wfReadOnly() ) {
-				$this->saveSettings();
-			}
+			// Default to a value based on the user token to avoid space
+			// wasted on storing tokens for all users. When this option
+			// is set manually by the user, only then is it stored.
+			$token = hash_hmac( 'sha1', "$oname:$id", $this->getToken() );
 		}
+
 		return $token;
 	}
 
diff --git a/includes/specials/SpecialResetTokens.php b/includes/specials/SpecialResetTokens.php
index 27a3a699ef..cba5a44930 100644
--- a/includes/specials/SpecialResetTokens.php
+++ b/includes/specials/SpecialResetTokens.php
@@ -25,6 +25,7 @@
  * Let users reset tokens like the watchlist token.
  *
  * @ingroup SpecialPage
+ * @deprecated 1.26
  */
 class SpecialResetTokens extends FormSpecialPage {
 	private $tokensList;