Page MenuHomePhabricator
Create Task
Maniphest T34870

CSRF in CodeReview ApiRevisionUpdate
Closed, ResolvedPublic
Actions

Description

The ApiRevisionUpdate module in CodeReview does not have any CSRF protection. The code says:

/**

  • Variation of CodeRevisionCommiter for use in the API. Removes the post and token checking from validPost
  • API can/will do the POST checking (and token?) */

No, it does not do token checking. ApiBase::needsToken() and ApiBase::getTokenSalt() must be overridden, which they aren't.

Version: unspecified
Severity: normal

Details

Reference
bz32870

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:05 AM
bzimport added a project: MediaWiki-extensions-CodeReview.
bzimport set Reference to bz32870.
bzimport added a subscriber: Unknown Object (MLST).
tstarling created this task.Dec 8 2011, 5:30 AM
tstarling added a comment.Dec 8 2011, 5:31 AM

Adding developer to CC list.

tstarling added a comment.Dec 8 2011, 5:33 AM

Note that the client code from r95435 will need to be updated, adding Hashar to the CC list for that.

RobLa-WMF added a comment.Feb 2 2012, 12:54 AM

Appears to be reverted

Reedy added a comment.Feb 2 2012, 2:32 PM

r95435 was reverted, but the original code Tim mentioned the issue with is still there

Reedy added a comment.Feb 2 2012, 3:06 PM

r110573

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL