Page MenuHomePhabricator

Checkuser API does not use tokens
Closed, ResolvedPublic

Description

Doesn't leak information, but could be used to have the user perform sensitive write actions unknowingly if I understand correctly.


Version: master
Severity: minor

Details

Reference
bz45019

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:28 AM
bzimport added a project: CheckUser.
bzimport set Reference to bz45019.

Created attachment 11962
Add token requirement to Checkuser API

attachment b45019.patch ignored as obsolete

Created attachment 12745
Add token requirement to Checkuser API

Attached:

Tested and working well so far. I'll deploy this and we'll release it with 1.21.2.

Deployed
18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/CheckUser
18:36 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/CheckUser

This was assigned CVE-2013-4306