SECURITY: Require login to preview user CSS pages
Anon users have predictable edit tokens, hence someone could force an anon to execute arbitrary CSS by means of a CSRF. Bug: T133147 Change-Id: I442b2b46cadb967aaa1f35648eff183fc7eaa475
This commit is contained in:
Chad Horohoe
Chad
parent
48503ee7d9
commit
81c291f265
1 changed files with 5 additions and 1 deletions
|
|
@ -2852,7 +2852,6 @@ class OutputPage extends ContextSource {
|
|||
|
||||
private function isUserJsPreview() {
|
||||
return $this->getConfig()->get( 'AllowUserJs' )
|
||||
&& $this->getUser()->isLoggedIn()
|
||||
&& $this->getTitle()
|
||||
&& $this->getTitle()->isJsSubpage()
|
||||
&& $this->userCanPreview();
|
||||
|
|
@ -3097,6 +3096,11 @@ class OutputPage extends ContextSource {
|
|||
}
|
||||
|
||||
$user = $this->getUser();
|
||||
|
||||
if ( !$this->getUser()->isLoggedIn() ) {
|
||||
// Anons have predictable edit tokens
|
||||
return false;
|
||||
}
|
||||
if ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
|
||||
return false;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue