Checkuser API does not use tokens
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Krenair
	Feb 14 2013, 9:45 PM

Description

Doesn't leak information, but could be used to have the user perform sensitive write actions unknowingly if I understand correctly.

Version: master
Severity: minor

Details

Reference: bz45019

Event Timeline

• bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:28 AM

• bzimport added a project: CheckUser.

• bzimport set Reference to bz45019.

Krenair created this task.Feb 14 2013, 9:45 PM

Created attachment 11962
Add token requirement to Checkuser API

attachment b45019.patch ignored as obsolete

Created attachment 12745
Add token requirement to Checkuser API

Attached:

b45019.patch953 BDownload

Tested and working well so far. I'll deploy this and we'll release it with 1.21.2.

Deployed
18:37 logmsgbot: csteipp synchronized php-1.22wmf13/extensions/CheckUser
18:36 logmsgbot: csteipp synchronized php-1.22wmf14/extensions/CheckUser

This was assigned CVE-2013-4306

• csteipp added a project: acl*security.Mar 26 2015, 8:39 PM

MarcoAurelio moved this task from General / Unsorted to Done on the CheckUser board.May 9 2016, 8:57 AM

Restricted Application added subscribers: Malyacko, JEumerus. · View Herald TranscriptMay 9 2016, 8:57 AM

• chasemp added a project: Security.Feb 10 2020, 10:53 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM

Checkuser API does not use tokensClosed, ResolvedPublicActions

Description

Details

Event Timeline

Checkuser API does not use tokens
Closed, ResolvedPublic
Actions