Page MenuHomePhabricator

T85855-REL1_19.patch

Authored By
csteipp
Mar 27 2015, 10:01 PM
Size
2 KB
Referenced Files
None
Subscribers
None

T85855-REL1_19.patch

From 5e022b1869946bfd7f3da4a2e235fc671b264096 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 27 Mar 2015 14:57:28 -0700
Subject: [PATCH] SECURITY: Don't execute another user's CSS or JS on preview
Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.
Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
---
includes/EditPage.php | 15 ++++++++++-----
includes/OutputPage.php | 4 ++++
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/includes/EditPage.php b/includes/EditPage.php
index d00d911..07a5a07 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -1988,11 +1988,16 @@ class EditPage {
if ( $this->isWrongCaseCssJsPage ) {
$wgOut->wrapWikiMsg( "<div class='error' id='mw-userinvalidcssjstitle'>\n$1\n</div>", array( 'userinvalidcssjstitle', $this->mTitle->getSkinFromCssJsSubpage() ) );
}
- if ( $this->formtype !== 'preview' ) {
- if ( $this->isCssSubpage )
- $wgOut->wrapWikiMsg( "<div id='mw-usercssyoucanpreview'>\n$1\n</div>", array( 'usercssyoucanpreview' ) );
- if ( $this->isJsSubpage )
- $wgOut->wrapWikiMsg( "<div id='mw-userjsyoucanpreview'>\n$1\n</div>", array( 'userjsyoucanpreview' ) );
+ if ( $this->getTitle()->isSubpageOf( $wgUser->getUserPage() ) ) {
+ if ( $this->formtype !== 'preview' ) {
+ if ( $this->isCssSubpage ) {
+ $wgOut->wrapWikiMsg( "<div id='mw-usercssyoucanpreview'>\n$1\n</div>", array( 'usercssyoucanpreview' ) );
+ }
+
+ if ( $this->isJsSubpage ) {
+ $wgOut->wrapWikiMsg( "<div id='mw-userjsyoucanpreview'>\n$1\n</div>", array( 'userjsyoucanpreview' ) );
+ }
+ }
}
}
}
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index e658c0e..20520bc 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2975,6 +2975,10 @@ $templates
if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
return false;
}
+ if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+ // Don't execute another user's CSS or JS on preview (T85855)
+ return false;
+ }
return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
}
--
1.8.4.5

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
103029
Default Alt Text
T85855-REL1_19.patch (2 KB)

Event Timeline