From: Bryan Tong Minh Date: Thu, 9 Dec 2010 21:29:03 +0000 (+0000) Subject: BREAKING CHANGE: Require POST for patrolling revisions and salt the patrol token... X-Git-Tag: 1.31.0-rc.0~33415 X-Git-Url: https://git.cyclocoop.org/%27.WWW_URL.%27admin/?a=commitdiff_plain;h=27b998755c2b18fb247c7929c7e358f32a98141c;p=lhc%2Fweb%2Fwiklou.git BREAKING CHANGE: Require POST for patrolling revisions and salt the patrol token with 'patrol' instead of rc_id. See my comments on r75274, for which this is a follow-up. Using a dedicated, but constant patrol token is in my opinion the optimal compromise between performance (only require fetching the token once) and security (leaking the token will only compromise the patrolling feature). --- diff --git a/includes/api/ApiPatrol.php b/includes/api/ApiPatrol.php index ddc205f220..04afd1dc58 100644 --- a/includes/api/ApiPatrol.php +++ b/includes/api/ApiPatrol.php @@ -59,6 +59,10 @@ class ApiPatrol extends ApiBase { $this->getResult()->addValue( null, $this->getModuleName(), $result ); } + public function mustBePosted() { + return true; + } + public function isWriteMode() { return true; } @@ -95,8 +99,7 @@ class ApiPatrol extends ApiBase { } public function getTokenSalt() { - $params = $this->extractRequestParams(); - return $params['rcid']; + return 'patrol'; } protected function getExamples() { diff --git a/includes/api/ApiQueryInfo.php b/includes/api/ApiQueryInfo.php index 8ffb2e22b8..3156b7ee90 100644 --- a/includes/api/ApiQueryInfo.php +++ b/includes/api/ApiQueryInfo.php @@ -87,6 +87,7 @@ class ApiQueryInfo extends ApiQueryBase { 'unblock' => array( 'ApiQueryInfo', 'getUnblockToken' ), 'email' => array( 'ApiQueryInfo', 'getEmailToken' ), 'import' => array( 'ApiQueryInfo', 'getImportToken' ), + 'patrol' => array( 'ApiQueryRecentChanges', 'getPatrolToken' ), ); wfRunHooks( 'APIQueryInfoTokens', array( &$this->tokenFunctions ) ); return $this->tokenFunctions; diff --git a/includes/api/ApiQueryRecentChanges.php b/includes/api/ApiQueryRecentChanges.php index 2e9f9b7f43..2aecea85df 100644 --- a/includes/api/ApiQueryRecentChanges.php +++ b/includes/api/ApiQueryRecentChanges.php @@ -79,7 +79,13 @@ class ApiQueryRecentChanges extends ApiQueryBase { return false; } - return $wgUser->editToken( $rc->getAttribute( 'rc_id' ) ); + // The patrol token is always the same, let's exploit that + static $cachedPatrolToken = null; + if ( is_null( $cachedPatrolToken ) ) { + $cachedPatrolToken = $wgUser->editToken( 'patrol' ); + } + + return $cachedPatrolToken; } /**