Page MenuHomePhabricator

T85855-REL1_23.patch

Authored By
csteipp
Mar 27 2015, 10:02 PM
Size
2 KB
Referenced Files
None
Subscribers
None

T85855-REL1_23.patch

From f9260bb5fe53a48c60fcb06bc2c2244b683236cf Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 27 Mar 2015 14:45:55 -0700
Subject: [PATCH] SECURITY: Don't execute another user's CSS or JS on preview
Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.
Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
---
includes/EditPage.php | 14 ++++++++------
includes/OutputPage.php | 4 ++++
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/includes/EditPage.php b/includes/EditPage.php
index 49faa9d..1fd23e2 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -2518,13 +2518,15 @@ class EditPage {
if ( $this->isWrongCaseCssJsPage ) {
$wgOut->wrapWikiMsg( "<div class='error' id='mw-userinvalidcssjstitle'>\n$1\n</div>", array( 'userinvalidcssjstitle', $this->mTitle->getSkinFromCssJsSubpage() ) );
}
- if ( $this->formtype !== 'preview' ) {
- if ( $this->isCssSubpage ) {
- $wgOut->wrapWikiMsg( "<div id='mw-usercssyoucanpreview'>\n$1\n</div>", array( 'usercssyoucanpreview' ) );
- }
+ if ( $this->getTitle()->isSubpageOf( $wgUser->getUserPage() ) ) {
+ if ( $this->formtype !== 'preview' ) {
+ if ( $this->isCssSubpage ) {
+ $wgOut->wrapWikiMsg( "<div id='mw-usercssyoucanpreview'>\n$1\n</div>", array( 'usercssyoucanpreview' ) );
+ }
- if ( $this->isJsSubpage ) {
- $wgOut->wrapWikiMsg( "<div id='mw-userjsyoucanpreview'>\n$1\n</div>", array( 'userjsyoucanpreview' ) );
+ if ( $this->isJsSubpage ) {
+ $wgOut->wrapWikiMsg( "<div id='mw-userjsyoucanpreview'>\n$1\n</div>", array( 'userjsyoucanpreview' ) );
+ }
}
}
}
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 4a72ba3..59d9234 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3155,6 +3155,10 @@ $templates
if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
return false;
}
+ if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+ // Don't execute another user's CSS or JS on preview (T85855)
+ return false;
+ }
return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
}
--
1.8.4.5

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
103030
Default Alt Text
T85855-REL1_23.patch (2 KB)

Event Timeline