diff options
author | Pierre Schmitz <pierre@archlinux.de> | 2008-03-03 09:36:49 +0100 |
---|---|---|
committer | Pierre Schmitz <pierre@archlinux.de> | 2008-03-03 09:36:49 +0100 |
commit | 749e7fb2bae7bbda855de3c9e319435b9f698ff7 (patch) | |
tree | a64763b24252286d6919665d2de481f8310022ef /includes/api/ApiMain.php | |
parent | cd613277ad3c5c601d3148b99377d97aa9656d6a (diff) |
MediaWiki 1.11.2 released (security)
Diffstat (limited to 'includes/api/ApiMain.php')
-rw-r--r-- | includes/api/ApiMain.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php index 31870449..00b3f63f 100644 --- a/includes/api/ApiMain.php +++ b/includes/api/ApiMain.php @@ -98,6 +98,14 @@ class ApiMain extends ApiBase { // If the current user cannot read, // Remove all modules other than login global $wgUser; + + if( $request->getVal( 'callback' ) !== null ) { + // JSON callback allows cross-site reads. + // For safety, strip user credentials. + wfDebug( "API: stripping user credentials for JSON callback\n" ); + $wgUser = new User(); + } + if (!$wgUser->isAllowed('read')) { self::$Modules = array( 'login' => self::$Modules['login'], |