Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: fix PoolCounter protection of Special:Contributions
The call to $pager->getNumRows() itself triggers execution of
the database query backing the page, so, that call must be inside
the callback given to PoolCounterWorkViaCallback.

CVE-2021-41800

Bug: T284419
Change-Id: I8b7b41a355be265389a4a8c9ea91301d4e23ae1b
  • Loading branch information
cdanis authored and reedy committed Sep 30, 2021
1 parent b9922ce commit 781caf8
Showing 1 changed file with 17 additions and 15 deletions.
32 changes: 17 additions & 15 deletions includes/specials/SpecialContributions.php
Expand Up @@ -310,8 +310,6 @@ public function execute( $par ) {
$limits = $this->getConfig()->get( 'RangeContributionsCIDRLimit' );
$limit = $limits[ IPUtils::isIPv4( $target ) ? 'IPv4' : 'IPv6' ];
$out->addWikiMsg( 'sp-contributions-outofrange', $limit );
} elseif ( !$pager->getNumRows() ) {
$out->addWikiMsg( 'nocontribs', $target );
} else {
// @todo We just want a wiki ID here, not a "DB domain", but
// current status of MediaWiki conflates the two. See T235955.
Expand All @@ -322,20 +320,24 @@ public function execute( $par ) {
$poolKey .= 'u:' . $this->getUser()->getId();
}
$work = new PoolCounterWorkViaCallback( 'SpecialContributions', $poolKey, [
'doWork' => function () use ( $pager, $out ) {
# Show a message about replica DB lag, if applicable
$lag = $pager->getDatabase()->getSessionLagStatus()['lag'];
if ( $lag > 0 ) {
$out->showLagWarning( $lag );
'doWork' => function () use ( $pager, $out, $target ) {
if ( !$pager->getNumRows() ) {
$out->addWikiMsg( 'nocontribs', $target );
} else {
# Show a message about replica DB lag, if applicable
$lag = $pager->getDatabase()->getSessionLagStatus()['lag'];
if ( $lag > 0 ) {
$out->showLagWarning( $lag );
}

$output = $pager->getBody();
if ( !$this->including() ) {
$output = $pager->getNavigationBar() .
$output .
$pager->getNavigationBar();
}
$out->addHTML( $output );
}

$output = $pager->getBody();
if ( !$this->including() ) {
$output = $pager->getNavigationBar() .
$output .
$pager->getNavigationBar();
}
$out->addHTML( $output );
},
'error' => function () use ( $out ) {
$msg = $this->getUser()->isAnon()
Expand Down

0 comments on commit 781caf8

Please sign in to comment.