diff options
| author | Chris Danis <cdanis@wikimedia.org> | 2021-09-23 16:21:05 -0400 |
|---|---|---|
| committer | Reedy <reedy@wikimedia.org> | 2021-09-30 18:49:23 +0100 |
| commit | eb89cfa144778191ea542d235e2bd72ed03c6b58 (patch) | |
| tree | 375f71a8ad9779493d36565768c440f4bf71b685 | |
| parent | 71594140f5884f0edcd1119889db0cf717e3916e (diff) | |
SECURITY: fix PoolCounter protection of Special:Contributions
The call to $pager->getNumRows() itself triggers execution of
the database query backing the page, so, that call must be inside
the callback given to PoolCounterWorkViaCallback.
CVE-2021-41800
Bug: T284419
Change-Id: I8b7b41a355be265389a4a8c9ea91301d4e23ae1b
| -rw-r--r-- | RELEASE-NOTES-1.31 | 2 | ||||
| -rw-r--r-- | includes/specials/SpecialContributions.php | 33 |
2 files changed, 19 insertions, 16 deletions
diff --git a/RELEASE-NOTES-1.31 b/RELEASE-NOTES-1.31 index df726b802cea..2d28edc40946 100644 --- a/RELEASE-NOTES-1.31 +++ b/RELEASE-NOTES-1.31 @@ -10,6 +10,8 @@ THIS IS NOT A RELEASE YET Special:Search. * (T290379, CVE-2021-41799) SECURITY: ApiQueryBacklinks can cause a full table scan. +* (T284419, CVE-2021-41800) SECURITY: fix PoolCounter protection of + Special:Contributions. == MediaWiki 1.31.15 == diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php index 5c4bcf47e603..0a9ddd740aba 100644 --- a/includes/specials/SpecialContributions.php +++ b/includes/specials/SpecialContributions.php @@ -235,8 +235,6 @@ class SpecialContributions extends IncludableSpecialPage { $limits = $this->getConfig()->get( 'RangeContributionsCIDRLimit' ); $limit = $limits[ IP::isIPv4( $target ) ? 'IPv4' : 'IPv6' ]; $out->addWikiMsg( 'sp-contributions-outofrange', $limit ); - } elseif ( !$pager->getNumRows() ) { - $out->addWikiMsg( 'nocontribs', $target ); } else { // @todo We just want a wiki ID here, not a "DB domain", but // current status of MediaWiki conflates the two. See T235955. @@ -247,21 +245,24 @@ class SpecialContributions extends IncludableSpecialPage { $poolKey .= 'u:' . $this->getUser()->getId(); } $work = new PoolCounterWorkViaCallback( 'SpecialContributions', $poolKey, [ - 'doWork' => function () use ( $pager, $out ) { - # Show a message about replica DB lag, if applicable - $lb = MediaWikiServices::getInstance()->getDBLoadBalancer(); - $lag = $lb->safeGetLag( $pager->getDatabase() ); - if ( $lag > 0 ) { - $out->showLagWarning( $lag ); + 'doWork' => function () use ( $pager, $out, $target ) { + if ( !$pager->getNumRows() ) { + $out->addWikiMsg( 'nocontribs', $target ); + } else { + # Show a message about replica DB lag, if applicable + $lag = $pager->getDatabase()->getSessionLagStatus()['lag']; + if ( $lag > 0 ) { + $out->showLagWarning( $lag ); + } + + $output = $pager->getBody(); + if ( !$this->including() ) { + $output = $pager->getNavigationBar() . + $output . + $pager->getNavigationBar(); + } + $out->addHTML( $output ); } - - $output = $pager->getBody(); - if ( !$this->including() ) { - $output = '<p>' . $pager->getNavigationBar() . '</p>' . - $output . - '<p>' . $pager->getNavigationBar() . '</p>'; - } - $out->addHTML( $output ); }, 'error' => function () use ( $out ) { $msg = $this->getUser()->isAnon() |