Page MenuHomePhabricator
Files F14040

bug65778b-REL1_23.patch
Public
Actions

Authored By
bzimport
Nov 22 2014, 3:24 AM
Size
3 KB
Referenced Files
None
Subscribers
None

bug65778b-REL1_23.patch
View Options

From 1723c4ecc864cedd33f07a6a3ee0938fb7322557 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Thu, 10 Jul 2014 12:16:29 -0700
Subject: [PATCH] SECURITY: Copy prevent-clickjacking between OutputPage and
ParserOutput
Special page transclusion returns an OutputPage, whose metadata is
copied into the ParserOutput, and then later back into an OutputPage.
The "preventClickjacking" flag should be part of that metadata.
Bug: 65778
Change-Id: I17d2720fb94bb383a92059e5adbf6c16ee3e9ef4
---
includes/OutputPage.php | 12 ++++++++++++
includes/parser/ParserOutput.php | 13 +++++++++++++
2 files changed, 25 insertions(+)
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 052ab34..449f165 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -1580,6 +1580,8 @@ class OutputPage extends ContextSource {
$this->addModuleStyles( $parserOutput->getModuleStyles() );
$this->addModuleMessages( $parserOutput->getModuleMessages() );
$this->addJsConfigVars( $parserOutput->getJsConfigVars() );
+ $this->mPreventClickjacking = $this->mPreventClickjacking
+ || $parserOutput->preventClickjacking();
// Template versioning...
foreach ( (array)$parserOutput->getTemplateIds() as $ns => $dbks ) {
@@ -1880,6 +1882,16 @@ class OutputPage extends ContextSource {
}
/**
+ * Get the prevent-clickjacking flag
+ *
+ * @since 1.24
+ * @return boolean
+ */
+ public function getPreventClickjacking() {
+ return $this->mPreventClickjacking;
+ }
+
+ /**
* Get the X-Frame-Options header value (without the name part), or false
* if there isn't one. This is used by Skin to determine whether to enable
* JavaScript frame-breaking, for clients that don't support X-Frame-Options.
diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index d1e3e58..054ee0d 100644
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -56,6 +56,7 @@ class ParserOutput extends CacheTime {
private $mExtensionData = array(); # extra data used by extensions
private $mLimitReportData = array(); # Parser limit report data
private $mParseStartTime = array(); # Timestamps for getTimeSinceStart()
+ private $mPreventClickjacking = false; # Whether to emit X-Frame-Options: DENY
const EDITSECTION_REGEX = '#<(?:mw:)?editsection page="(.*?)" section="(.*?)"(?:/>|>(.*?)(</(?:mw:)?editsection>))#';
@@ -352,6 +353,7 @@ class ParserOutput extends CacheTime {
$this->addJsConfigVars( $out->getJsConfigVars() );
$this->mHeadItems = array_merge( $this->mHeadItems, $out->getHeadItemsArray() );
+ $this->mPreventClickjacking = $this->mPreventClickjacking || $out->getPreventClickjacking();
}
/**
@@ -660,6 +662,17 @@ class ParserOutput extends CacheTime {
}
/**
+ * Get or set the prevent-clickjacking flag
+ *
+ * @since 1.24
+ * @param boolean|null $flag New flag value, or null to leave it unchanged
+ * @return boolean Old flag value
+ */
+ public function preventClickjacking( $flag = null ) {
+ return wfSetVar( $this->mPreventClickjacking, $flag );
+ }
+
+ /**
* Save space for for serialization by removing useless values
*/
function __sleep() {
--
1.9.2.msysgit.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
13459
Default Alt Text
bug65778b-REL1_23.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL