MediaWiki 1.11.2 released (security)

author: Pierre Schmitz <pierre@archlinux.de> 2008-03-03 09:36:49 +0100
committer: Pierre Schmitz <pierre@archlinux.de> 2008-03-03 09:36:49 +0100
commit: 749e7fb2bae7bbda855de3c9e319435b9f698ff7 (patch)
tree: a64763b24252286d6919665d2de481f8310022ef /includes/api/ApiMain.php
parent: cd613277ad3c5c601d3148b99377d97aa9656d6a (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 31870449..00b3f63f 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -98,6 +98,14 @@ class ApiMain extends ApiBase {
 			// If the current user cannot read, 
 			// Remove all modules other than login
 			global $wgUser;
+			
+			if( $request->getVal( 'callback' ) !== null ) {
+				// JSON callback allows cross-site reads.
+				// For safety, strip user credentials.
+				wfDebug( "API: stripping user credentials for JSON callback\n" );
+				$wgUser = new User();
+			}
+			
 			if (!$wgUser->isAllowed('read')) {
 				self::$Modules = array(
 					'login' => self::$Modules['login'],
author	Pierre Schmitz <pierre@archlinux.de>	2008-03-03 09:36:49 +0100
committer	Pierre Schmitz <pierre@archlinux.de>	2008-03-03 09:36:49 +0100
commit	749e7fb2bae7bbda855de3c9e319435b9f698ff7 (patch)
tree	a64763b24252286d6919665d2de481f8310022ef /includes/api/ApiMain.php
parent	cd613277ad3c5c601d3148b99377d97aa9656d6a (diff)