Page MenuHomePhabricator
Files F14766178

0003-SECURITY-URL-parsing-for-log-switching.patch
Ejegg (Elliott Eggleston)
Actions

Authored By
Ejegg
Mar 8 2018, 8:54 PM
Size
1 KB
Referenced Files
None
Subscribers
None

0003-SECURITY-URL-parsing-for-log-switching.patch
View Options

From 68587ba4cf7956480c45caa817505a1eaf557107 Mon Sep 17 00:00:00 2001
From: Andrew Green <andrew.green.df@gmail.com>
Date: Mon, 5 Mar 2018 10:22:02 -0600
Subject: [PATCH 3/3] SECURITY: URL parsing for log switching
This issue is not exploitable, but should make the
code more robust against future changes.
Change-Id: I3cdc3d582e224dee0311b991544892f4a5ad47fb
Co-authored-by: Brian Wolff <bawolff+wn@gmail.com>
Bug: T171987
---
CentralNotice.modules.php | 3 ++-
resources/infrastructure/centralnotice.js | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/CentralNotice.modules.php b/CentralNotice.modules.php
index 2f3ec05..2fc0789 100644
--- a/CentralNotice.modules.php
+++ b/CentralNotice.modules.php
@@ -50,7 +50,8 @@ $wgResourceModules[ 'ext.centralNotice.adminUi' ] = array(
'remoteExtPath' => 'CentralNotice/resources',
'dependencies' => array(
'jquery.ui.datepicker',
- 'jquery.ui.multiselect'
+ 'jquery.ui.multiselect',
+ 'mediawiki.Uri'
),
'scripts' => 'infrastructure/centralnotice.js',
'styles' => array(
diff --git a/resources/infrastructure/centralnotice.js b/resources/infrastructure/centralnotice.js
index 25d728a..dbbae60 100644
--- a/resources/infrastructure/centralnotice.js
+++ b/resources/infrastructure/centralnotice.js
@@ -39,8 +39,9 @@ window.toggleFilterDisplay = function () {
// Switch among various log displays
window.switchLogs = function ( baseUrl, logType ) {
+ var url = new mw.Uri( baseUrl );
encodeURIComponent( logType );
- location.href = baseUrl + '?log=' + logType;
+ location.href = url.extend( { log: logType } ).toString();
};
window.addEventListener( 'message', receiveMessage, false );
--
2.16.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5608039
Default Alt Text
0003-SECURITY-URL-parsing-for-log-switching.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL