Require CSRF token for action=scribunto-console

This is basically unexploitable, given that Scribunto sessions are "extremely ephemeral", protected by a 31-bit non-cryptographically random token and generally contain very little useful data. But, requiring a CSRF token is a best practice and since this module is internal and only used in one place, it's also unlikely to break anything. Because it needs a token, the module is POST-only now too. Bug: T212071 Change-Id: I7fb6b4f856ee6194eb37c26e14f178fea6c0a3f6
wikimedia · Oct 5, 2022 · 0f25852 · 0f25852
1 parent 5f007a0
commit 0f25852
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/includes/ApiScribuntoConsole.php b/includes/ApiScribuntoConsole.php
@@ -145,6 +145,10 @@ protected function newSession() {
 		];
 	}
 
+	public function needsToken() {
+		return 'csrf';
+	}
+
 	public function isInternal() {
 		return true;
 	}

diff --git a/modules/ext.scribunto.edit.js b/modules/ext.scribunto.edit.js
@@ -280,7 +280,7 @@
 		api = new mw.Api();
 		setPending();
 
-		api.post( params )
+		api.postWithToken( 'csrf', params )
 			.done( function ( result ) {
 				if ( result.sessionIsNew === '' && !sentContent ) {
 					// Session was lost. Resend query, with content