summaryrefslogtreecommitdiff
path: root/includes/specials
diff options
context:
space:
mode:
Diffstat (limited to 'includes/specials')
-rw-r--r--includes/specials/SpecialChangePassword.php16
-rw-r--r--includes/specials/SpecialPrefixindex.php1
2 files changed, 17 insertions, 0 deletions
diff --git a/includes/specials/SpecialChangePassword.php b/includes/specials/SpecialChangePassword.php
index c54b5575..a75e7e83 100644
--- a/includes/specials/SpecialChangePassword.php
+++ b/includes/specials/SpecialChangePassword.php
@@ -52,6 +52,11 @@ class SpecialChangePassword extends UnlistedSpecialPage {
$this->mDomain = $request->getVal( 'wpDomain' );
$user = $this->getUser();
+
+ if ( !$user->isLoggedIn() && !LoginForm::getLoginToken() ) {
+ LoginForm::setLoginToken();
+ }
+
if ( !$request->wasPosted() && !$user->isLoggedIn() ) {
$this->error( $this->msg( 'resetpass-no-info' )->text() );
@@ -81,6 +86,14 @@ class SpecialChangePassword extends UnlistedSpecialPage {
return;
}
+ if ( !$user->isLoggedIn()
+ && $request->getVal( 'wpLoginOnChangeToken' ) !== LoginForm::getLoginToken()
+ ) {
+ // Potential CSRF (bug 62497)
+ $this->error( $this->msg( 'sessionfailure' )->text() );
+ return false;
+ }
+
$this->attemptReset( $this->mNewpass, $this->mRetype );
if ( $user->isLoggedIn() ) {
@@ -157,6 +170,9 @@ class SpecialChangePassword extends UnlistedSpecialPage {
'wpName' => $this->mUserName,
'wpDomain' => $this->mDomain,
) + $this->getRequest()->getValues( 'returnto', 'returntoquery' );
+ if ( !$user->isLoggedIn() ) {
+ $hiddenFields['wpLoginOnChangeToken'] = LoginForm::getLoginToken();
+ }
$hiddenFieldsStr = '';
foreach ( $hiddenFields as $fieldname => $fieldvalue ) {
$hiddenFieldsStr .= Html::hidden( $fieldname, $fieldvalue ) . "\n";
diff --git a/includes/specials/SpecialPrefixindex.php b/includes/specials/SpecialPrefixindex.php
index 28d07ffc..0d065b09 100644
--- a/includes/specials/SpecialPrefixindex.php
+++ b/includes/specials/SpecialPrefixindex.php
@@ -264,6 +264,7 @@ class SpecialPrefixindex extends SpecialAllpages {
'from' => $s->page_title,
'prefix' => $prefix,
'hideredirects' => $this->hideRedirects,
+ 'stripprefix' => $this->stripPrefix,
);
if ( $namespace || $prefix == '' ) {
generated by cgit v1.2.2 (git 2.25.0) at 2024-04-28 07:36:34 +0000