diff options
Diffstat (limited to 'includes/specials')
-rw-r--r-- | includes/specials/SpecialUpload.php | 9 | ||||
-rw-r--r-- | includes/specials/SpecialUserlogin.php | 6 | ||||
-rw-r--r-- | includes/specials/SpecialWatchlist.php | 2 | ||||
-rw-r--r-- | includes/specials/SpecialWhatlinkshere.php | 1 |
4 files changed, 6 insertions, 12 deletions
diff --git a/includes/specials/SpecialUpload.php b/includes/specials/SpecialUpload.php index 8eeca5d5..33013e08 100644 --- a/includes/specials/SpecialUpload.php +++ b/includes/specials/SpecialUpload.php @@ -119,14 +119,7 @@ class SpecialUpload extends SpecialPage { // If it was posted check for the token (no remote POST'ing with user credentials) $token = $request->getVal( 'wpEditToken' ); - if( $this->mSourceType == 'file' && $token == null ) { - // Skip token check for file uploads as that can't be faked via JS... - // Some client-side tools don't expect to need to send wpEditToken - // with their submissions, as that's new in 1.16. - $this->mTokenOk = true; - } else { - $this->mTokenOk = $wgUser->matchEditToken( $token ); - } + $this->mTokenOk = $wgUser->matchEditToken( $token ); $this->uploadFormTextTop = ''; $this->uploadFormTextAfterSummary = ''; diff --git a/includes/specials/SpecialUserlogin.php b/includes/specials/SpecialUserlogin.php index 01dc9a1c..0e5baa2d 100644 --- a/includes/specials/SpecialUserlogin.php +++ b/includes/specials/SpecialUserlogin.php @@ -1114,9 +1114,9 @@ class LoginForm extends SpecialPage { */ public static function setLoginToken() { global $wgRequest; - // Use User::generateToken() instead of $user->editToken() + // Generate a token directly instead of using $user->editToken() // because the latter reuses $_SESSION['wsEditToken'] - $wgRequest->setSessionData( 'wsLoginToken', User::generateToken() ); + $wgRequest->setSessionData( 'wsLoginToken', MWCryptRand::generateHex( 32 ) ); } /** @@ -1140,7 +1140,7 @@ class LoginForm extends SpecialPage { */ public static function setCreateaccountToken() { global $wgRequest; - $wgRequest->setSessionData( 'wsCreateaccountToken', User::generateToken() ); + $wgRequest->setSessionData( 'wsCreateaccountToken', MWCryptRand::generateHex( 32 ) ); } /** diff --git a/includes/specials/SpecialWatchlist.php b/includes/specials/SpecialWatchlist.php index 51086bb1..fd562be4 100644 --- a/includes/specials/SpecialWatchlist.php +++ b/includes/specials/SpecialWatchlist.php @@ -43,7 +43,7 @@ class SpecialWatchlist extends SpecialPage { // Add feed links $wlToken = $user->getOption( 'watchlisttoken' ); if ( !$wlToken ) { - $wlToken = sha1( mt_rand() . microtime( true ) ); + $wlToken = MWCryptRand::generateHex( 40 ); $user->setOption( 'watchlisttoken', $wlToken ); $user->saveSettings(); } diff --git a/includes/specials/SpecialWhatlinkshere.php b/includes/specials/SpecialWhatlinkshere.php index 5cdaad6a..f7d7bfef 100644 --- a/includes/specials/SpecialWhatlinkshere.php +++ b/includes/specials/SpecialWhatlinkshere.php @@ -50,6 +50,7 @@ class SpecialWhatLinksHere extends SpecialPage { $out = $this->getOutput(); $this->setHeaders(); + $this->outputHeader(); $opts = new FormOptions(); |