SECURITY: Prevent blocked users from purging pages

CVE-2021-35197 Bug: T280226 Change-Id: Id783618e885998cddf45a4cfc7b2c19fd0c7e9f5
wikimedia · Jun 23, 2021 · 7fc84bb · 7fc84bb
1 parent d262673
commit 7fc84bb
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 5 deletions.
diff --git a/RELEASE-NOTES-1.36 b/RELEASE-NOTES-1.36
@@ -15,6 +15,7 @@ THIS IS NOT A RELEASE YET
 * (T235554) Disable DEFER_SET_LENGTH_AND_FLUSH headers to avoid HTTP errors.
 * (T278579) Don't send headers on ob_end_clean().
 * (T285287) MultiHttpClient: Replace PHP version check with defined().
+* (T280226, CVE-2021-35197) SECURITY: Prevent blocked users from purging pages.
 
 == MediaWiki 1.36.0 ==
 

diff --git a/includes/actions/PurgeAction.php b/includes/actions/PurgeAction.php
@@ -33,10 +33,6 @@ public function getName() {
 		return 'purge';
 	}
 
-	public function requiresUnblock() {
-		return false;
-	}
-
 	public function getDescription() {
 		return '';
 	}

diff --git a/includes/api/ApiPurge.php b/includes/api/ApiPurge.php
@@ -31,6 +31,14 @@ class ApiPurge extends ApiBase {
 	 * Purges the cache of a page
 	 */
 	public function execute() {
+		$user = $this->getUser();
+
+		// Fail early if the user is sitewide blocked.
+		$block = $user->getBlock();
+		if ( $block && $block->isSitewide() ) {
+			$this->dieBlocked( $block );
+		}
+
 		$params = $this->extractRequestParams();
 
 		$continuationManager = new ApiContinuationManager( $this, [], [] );
@@ -42,7 +50,6 @@ public function execute() {
 		$pageSet->execute();
 
 		$result = $pageSet->getInvalidTitlesAndRevisions();
-		$user = $this->getUser();
 
 		foreach ( $pageSet->getGoodTitles() as $title ) {
 			$r = [];