Page MenuHomePhabricator
Files F13550

bug66608-REL1_23.patch
Public
Actions

Authored By
bzimport
Nov 22 2014, 3:10 AM
Size
2 KB
Referenced Files
None
Subscribers
None

bug66608-REL1_23.patch
View Options

From 71e456de869328ca9a65a2378dee0bb3c25366ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Fri, 27 Jun 2014 00:15:03 +0000
Subject: [PATCH] Fix for XSS issue in bug 66608
Generate the URL used for loading a new page in Javascript,
instead of relying on the URL in the link that has been clicked
(as that could have been crafted by an attacker).
Bug: 66608
Change-Id: I19e2bf3af017a37c35cbadce9a70194aac693f33
---
includes/ImagePage.php | 2 ++
resources/Resources.php | 6 +++++-
.../src/mediawiki.page/mediawiki.page.image.pagination.js | 11 ++++++++++-
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/includes/ImagePage.php b/includes/ImagePage.php
index 997a948..a10f97f 100644
--- a/includes/ImagePage.php
+++ b/includes/ImagePage.php
@@ -447,6 +447,8 @@ class ImagePage extends Article {
if ( $page > 1 ) {
$label = $out->parse( wfMessage( 'imgmultipageprev' )->text(), false );
+ // on the client side, this link is generated in ajaxifyPageNavigation()
+ // in the mediawiki.page.image.pagination module
$link = Linker::linkKnown(
$this->getTitle(),
$label,
diff --git a/resources/Resources.php b/resources/Resources.php
index 18cb218..05af927 100644
--- a/resources/Resources.php
+++ b/resources/Resources.php
@@ -1134,7 +1134,11 @@ return array(
),
'mediawiki.page.image.pagination' => array(
'scripts' => 'resources/src/mediawiki.page/mediawiki.page.image.pagination.js',
- 'dependencies' => array( 'jquery.spinner' )
+ 'dependencies' => array(
+ 'mediawiki.Uri',
+ 'mediawiki.util',
+ 'jquery.spinner',
+ )
),
/* MediaWiki Special pages */
diff --git a/resources/src/mediawiki.page/mediawiki.page.image.pagination.js b/resources/src/mediawiki.page/mediawiki.page.image.pagination.js
index 50301bd..80e6e45 100644
--- a/resources/src/mediawiki.page/mediawiki.page.image.pagination.js
+++ b/resources/src/mediawiki.page/mediawiki.page.image.pagination.js
@@ -60,7 +60,16 @@
function ajaxifyPageNavigation() {
// Intercept the default action of the links in the thumbnail navigation
$( '.multipageimagenavbox' ).one( 'click', 'a', function ( e ) {
- loadPage( this.href );
+ var page, uri;
+
+ // Generate the same URL on client side as the one generated in ImagePage::openShowImage.
+ // We avoid using the URL in the link directly since it could have been manipulated (bug 66608)
+ page = Number( mw.util.getParamValue( 'page', this.href ) );
+ uri = new mw.Uri( mw.util.wikiScript() )
+ .extend( { title: mw.config.get( 'wgPageName' ), page: page } )
+ .toString();
+
+ loadPage( uri );
e.preventDefault();
} );
--
1.9.2.msysgit.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
12982
Default Alt Text
bug66608-REL1_23.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL