From f26d891acb9c95ea86236e031e28f7429aeb66e0 Mon Sep 17 00:00:00 2001 From: Antoine Musso Date: Sun, 8 Jan 2006 19:02:24 +0000 Subject: [PATCH] Fix security issues: * Bug 4083: Special:Validation doesn't check wpEditToken * Possible XSS issue --- includes/SpecialValidate.php | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/includes/SpecialValidate.php b/includes/SpecialValidate.php index 813d151bdf..1763be868a 100644 --- a/includes/SpecialValidate.php +++ b/includes/SpecialValidate.php @@ -22,8 +22,6 @@ * @package MediaWiki * @subpackage SpecialPage */ - - class Validation { var $topicList; var $voteCache; @@ -388,10 +386,12 @@ class Validation { } } ksort( $data ) ; + $token = htmlspecialchars( $wgUser->editToken() ); # Generate form $table_class = $focus ? 'revisionform_focus' : 'revisionform_default'; - $ret = "
\n"; + $ret = "
\n" + . ''; $head = "Revision #" . $revision; $link = $this->getRevisionLink( $article, $revision ); $metadata = $this->getMetadata( $revision, $article ); @@ -863,15 +863,19 @@ function wfSpecialValidate( $page = '' ) { $mode = $wgRequest->getVal( "mode" ); $skin = $wgUser->getSkin(); - if( $mode == "manage" ) { - $v = new Validation(); - $html = $v->manageTopics(); - } elseif( $mode == "userstats" ) { - $v = new Validation(); - $user = $wgRequest->getVal( "user" ); - $html = $v->showUserStats( $user ); + $token = $wgUser->matchEditToken( $wgRequest->getVal( 'wpEditToken' ) ); + + if( $token ) { + if( $mode == "manage" ) { + $v = new Validation(); + $html = $v->manageTopics(); + } elseif( $mode == "userstats" ) { + $v = new Validation(); + $user = $wgRequest->getVal( "user" ); + $html = $v->showUserStats( $user ); + } } else { - $html = "$mode"; + $html = htmlspecialchars( $mode ); $html .= "