dépôts / lhc / web / wiklou.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 74d0c07) | patch
Validate BlockID cookie before use
authorSam Wilson <sam@samwilson.id.au>
Wed, 4 Jan 2017 03:38:27 +0000 (11:38 +0800)
committerSam Wilson <sam@samwilson.id.au>
Fri, 10 Feb 2017 03:35:57 +0000 (11:35 +0800)
commit5fd5b3276f240c8189755db9641e764543b8c0b1
tree11087804cccc471a19ae3da84587ce214d969838tree | snapshot
parent74d0c079bfdf461a960a8a200cb4acfa4255d19dcommit | diff
Validate BlockID cookie before use

This change adds a HMAC to the block-cookie to prevent someone
spoofing a cookie and so discovering revdeleted users' names.
The HMAC is only added if $wgSecretKey is set; if it isn't, the
existing plain-ID format is used. A note about this has been
added to DefaultSettings.php.

Tests are updated and new tests added to demonstrate an
inauthentic HMAC, and for when $wgSecretKey is not definied.

Bug: T152951
Change-Id: I6a3ef9e91091408c25eaa2d36d58b365d681e8c6
includes/Block.php diff | blob | history
includes/DefaultSettings.php diff | blob | history
includes/user/User.php diff | blob | history
tests/phpunit/includes/user/UserTest.php diff | blob | history
Wiklou, le Wiki du Wiklou