From: Brion Vibber Date: Mon, 3 Mar 2008 05:45:37 +0000 (+0000) Subject: Safety fixes for API: X-Git-Tag: 1.31.0-rc.0~49276 X-Git-Url: https://git.cyclocoop.org/%242?a=commitdiff_plain;h=46619295ebc441e9b814ce15a3ffc26d510276c4;p=lhc%2Fweb%2Fwiklou.git Safety fixes for API: * drop user credentials for JSON callback output * anticipating future changes, don't report anon edit tokens in JSON callback output --- diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php index eae68fb389..22ca6588f2 100644 --- a/includes/api/ApiFormatJson.php +++ b/includes/api/ApiFormatJson.php @@ -74,7 +74,7 @@ class ApiFormatJson extends ApiFormatBase { public function getParamDescription() { return array ( - 'callback' => 'If specified, wraps the output into a given function call', + 'callback' => 'If specified, wraps the output into a given function call. For safety, all user-specific data will be restricted.', ); } diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index f267c7e1eb..0711a245a4 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -118,6 +118,14 @@ class ApiMain extends ApiBase { // If the current user cannot read, // Remove all modules other than login global $wgUser; + + if( $request->getVal( 'callback' ) !== null ) { + // JSON callback allows cross-site reads. + // For safety, strip user credentials. + wfDebug( "API: stripping user credentials for JSON callback\n" ); + $wgUser = new User(); + } + if (!$wgUser->isAllowed('read')) { self::$Modules = array( 'login' => self::$Modules['login'], diff --git a/includes/api/ApiQueryBase.php b/includes/api/ApiQueryBase.php index f964ea98d7..98a6ef39df 100644 --- a/includes/api/ApiQueryBase.php +++ b/includes/api/ApiQueryBase.php @@ -216,6 +216,10 @@ abstract class ApiQueryBase extends ApiBase { } public function getTokenFlag($tokenArr, $action) { + if ($this->getMain()->getRequest()->getVal('callback') !== null) { + // Don't do any session-specific data. + return false; + } if (in_array($action, $tokenArr)) { global $wgUser; if ($wgUser->isAllowed($action))