Skip to content

Commit

Permalink
Require CSRF token for action=scribunto-console
Browse files Browse the repository at this point in the history
This is basically unexploitable, given that Scribunto sessions are
"extremely ephemeral", protected by a 31-bit non-cryptographically
random token and generally contain very little useful data.

But, requiring a CSRF token is a best practice and since this module
is internal and only used in one place, it's also unlikely to break
anything. Because it needs a token, the module is POST-only now too.

Bug: T212071
Change-Id: I7fb6b4f856ee6194eb37c26e14f178fea6c0a3f6
  • Loading branch information
legoktm authored and jenkins-bot committed Oct 5, 2022
1 parent 5f007a0 commit 0f25852
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 1 deletion.
4 changes: 4 additions & 0 deletions includes/ApiScribuntoConsole.php
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,10 @@ protected function newSession() {
];
}

public function needsToken() {
return 'csrf';
}

public function isInternal() {
return true;
}
Expand Down
2 changes: 1 addition & 1 deletion modules/ext.scribunto.edit.js
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@
api = new mw.Api();
setPending();

api.post( params )
api.postWithToken( 'csrf', params )
.done( function ( result ) {
if ( result.sessionIsNew === '' && !sentContent ) {
// Session was lost. Resend query, with content
Expand Down

0 comments on commit 0f25852

Please sign in to comment.