[[Special:MWOAuthManageMyGrants]] does not check whether the ID passed as an URL argument belongs to the current user, and allows the user to view any existing accepted consumer settings (see e.g. the URL linked above). Fortunately, MWOAuthConsumerAcceptanceSubmitControl seems to check the current user correctly, so that attempts to modify the consumer should fail. So that while this is a security vulnerabilty, it is not a severe one.
I guess something like this could suffice?
- a/frontend/specialpages/SpecialMWOAuthManageMyGrants.php
+++ b/frontend/specialpages/SpecialMWOAuthManageMyGrants.php
@@ -102,10 +102,14 @@ class SpecialMWOAuthManageMyGrants extends UnlistedSpecialPage {
$user = $this->getUser(); $lang = $this->getLanguage(); $db = MWOAuthUtils::getCentralDB( DB_SLAVE );
+ $centralUserId = MWOAuthUtils::getCentralIdFromLocalUser( $user );
+ if ( !$centralUserId ) { // sanity
+ throw new PermissionsError();
+ }
$cmra = MWOAuthDAOAccessControl::wrap( MWOAuthConsumerAcceptance::newFromId( $db, $acceptanceId ), $this->getContext() );
- if ( !$cmra ) {
+ if ( !$cmra || $cmra->get( 'userId' ) !== $centralUserId ) {
$this->getOutput()->addHtml( $this->msg( 'mwoauth-invalid-access-token' )->escaped() ); return; }
Version: unspecified
Severity: major
URL: https://www.mediawiki.org/wiki/Special:MWOAuthManageMyGrants/manage/2