diff options
| author | Chris Danis <cdanis@wikimedia.org> | 2021-09-23 16:21:05 -0400 |
|---|---|---|
| committer | Reedy <reedy@wikimedia.org> | 2021-09-30 18:52:36 +0100 |
| commit | deacdefaeeb021e49f670688cbf7285c4dd8010e (patch) | |
| tree | a776bb24bf3738421519fd26c9ed49a155e22376 | |
| parent | 2533b13a4874da018e264a4f87a8e58313d02611 (diff) | |
SECURITY: fix PoolCounter protection of Special:Contributions
The call to $pager->getNumRows() itself triggers execution of
the database query backing the page, so, that call must be inside
the callback given to PoolCounterWorkViaCallback.
CVE-2021-41800
Bug: T284419
Change-Id: I8b7b41a355be265389a4a8c9ea91301d4e23ae1b
| -rw-r--r-- | RELEASE-NOTES-1.36 | 2 | ||||
| -rw-r--r-- | includes/specials/SpecialContributions.php | 32 |
2 files changed, 19 insertions, 15 deletions
diff --git a/RELEASE-NOTES-1.36 b/RELEASE-NOTES-1.36 index 4dc1ab4e5183..c8564f7b7019 100644 --- a/RELEASE-NOTES-1.36 +++ b/RELEASE-NOTES-1.36 @@ -30,6 +30,8 @@ THIS IS NOT A RELEASE YET * (T285515, CVE-2021-41798) SECURITY: XSS vulnerability in Special:Search. * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan. +* (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of + Special:Contributions. == MediaWiki 1.36.1 == diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php index d06c62f6ba97..596610a0b151 100644 --- a/includes/specials/SpecialContributions.php +++ b/includes/specials/SpecialContributions.php @@ -302,8 +302,6 @@ class SpecialContributions extends IncludableSpecialPage { $limits = $this->getConfig()->get( 'RangeContributionsCIDRLimit' ); $limit = $limits[ IPUtils::isIPv4( $target ) ? 'IPv4' : 'IPv6' ]; $out->addWikiMsg( 'sp-contributions-outofrange', $limit ); - } elseif ( !$pager->getNumRows() ) { - $out->addWikiMsg( 'nocontribs', $target ); } else { // @todo We just want a wiki ID here, not a "DB domain", but // current status of MediaWiki conflates the two. See T235955. @@ -314,20 +312,24 @@ class SpecialContributions extends IncludableSpecialPage { $poolKey .= 'u:' . $this->getUser()->getId(); } $work = new PoolCounterWorkViaCallback( 'SpecialContributions', $poolKey, [ - 'doWork' => function () use ( $pager, $out ) { - # Show a message about replica DB lag, if applicable - $lag = $pager->getDatabase()->getSessionLagStatus()['lag']; - if ( $lag > 0 ) { - $out->showLagWarning( $lag ); + 'doWork' => function () use ( $pager, $out, $target ) { + if ( !$pager->getNumRows() ) { + $out->addWikiMsg( 'nocontribs', $target ); + } else { + # Show a message about replica DB lag, if applicable + $lag = $pager->getDatabase()->getSessionLagStatus()['lag']; + if ( $lag > 0 ) { + $out->showLagWarning( $lag ); + } + + $output = $pager->getBody(); + if ( !$this->including() ) { + $output = $pager->getNavigationBar() . + $output . + $pager->getNavigationBar(); + } + $out->addHTML( $output ); } - - $output = $pager->getBody(); - if ( !$this->including() ) { - $output = $pager->getNavigationBar() . - $output . - $pager->getNavigationBar(); - } - $out->addHTML( $output ); }, 'error' => function () use ( $out ) { $msg = $this->getUser()->isAnon() |