Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-jmc9-rv2f-g8vv
The ManageWiki API currently allows viewing of sensitive information set as visible to only ManageWiki right users, such as Discord and Slack webhooks. This fixes it by adding a check to the API, to hide it if the config has set `$wgManageWikiSettings[SETTING]['requires']['visibility']['permissions']` so information on sensitive settings are never displayed via the API.

See https://phabricator.miraheze.org/T7213
  • Loading branch information
Universal-Omega committed Apr 28, 2021
1 parent 99f3b2c commit befb83c
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions includes/api/ApiQueryWikiConfig.php
@@ -1,4 +1,7 @@
<?php

use MediaWiki\MediaWikiServices;

class ApiQueryWikiConfig extends ApiQueryBase {
public function __construct( $query, $moduleName ) {
parent::__construct( $query, $moduleName, 'wcf' );
Expand Down Expand Up @@ -31,6 +34,14 @@ public function execute() {
$mwSet = new ManageWikiSettings( $wiki );
if ( isset( $prop['settings'] ) ) {
$wikiData['settings'] = $mwSet->list();

$config = MediaWikiServices::getInstance()->getConfigFactory()->makeConfig( 'managewiki' );

foreach ( $config->get( 'ManageWikiSettings' ) as $setting => $options ) {
if ( isset( $options['requires']['visibility']['permissions'] ) ) {
unset( $wikiData['settings'][$setting] );
}
}
}

$mwExt = new ManageWikiExtensions( $wiki );
Expand Down

0 comments on commit befb83c

Please sign in to comment.