Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F14042
bug65778b-REL1_19.patch
Public
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
•
bzimport
Nov 22 2014, 3:24 AM
2014-11-22 03:24:04 (UTC+0)
Size
3 KB
Referenced Files
None
Subscribers
None
bug65778b-REL1_19.patch
View Options
From c0ae1e159b1dc17126b86b77276a3d6a3852707d Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Thu, 10 Jul 2014 12:16:29 -0700
Subject: [PATCH] SECURITY: Copy prevent-clickjacking between OutputPage and
ParserOutput
Special page transclusion returns an OutputPage, whose metadata is
copied into the ParserOutput, and then later back into an OutputPage.
The "preventClickjacking" flag should be part of that metadata.
Bug: 65778
Change-Id: I17d2720fb94bb383a92059e5adbf6c16ee3e9ef4
---
includes/OutputPage.php | 12 ++++++++++++
includes/parser/ParserOutput.php | 13 +++++++++++++
2 files changed, 25 insertions(+)
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index a91d546..6c9442c 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -1504,6 +1504,8 @@ class OutputPage extends ContextSource {
$this->addModuleScripts( $parserOutput->getModuleScripts() );
$this->addModuleStyles( $parserOutput->getModuleStyles() );
$this->addModuleMessages( $parserOutput->getModuleMessages() );
+ $this->mPreventClickjacking = $this->mPreventClickjacking
+ || $parserOutput->preventClickjacking();
// Template versioning...
foreach ( (array)$parserOutput->getTemplateIds() as $ns => $dbks ) {
@@ -1802,6 +1804,16 @@ class OutputPage extends ContextSource {
}
/**
+ * Get the prevent-clickjacking flag
+ *
+ * @since 1.24
+ * @return boolean
+ */
+ public function getPreventClickjacking() {
+ return $this->mPreventClickjacking;
+ }
+
+ /**
* Get the X-Frame-Options header value (without the name part), or false
* if there isn't one. This is used by Skin to determine whether to enable
* JavaScript frame-breaking, for clients that don't support X-Frame-Options.
diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index 2d99a3b..ff3a611 100644
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -142,6 +142,7 @@ class ParserOutput extends CacheTime {
$mTimestamp; # Timestamp of the revision
private $mIndexPolicy = ''; # 'index' or 'noindex'? Any other value will result in no change.
private $mAccessedOptions = array(); # List of ParserOptions (stored in the keys)
+ private $mPreventClickjacking = false; # Whether to emit X-Frame-Options: DENY
const EDITSECTION_REGEX = '#<(?:mw:)?editsection page="(.*?)" section="(.*?)"(?:/>|>(.*?)(</(?:mw:)?editsection>))#';
@@ -371,6 +372,7 @@ class ParserOutput extends CacheTime {
$this->addModuleMessages( $out->getModuleMessages() );
$this->mHeadItems = array_merge( $this->mHeadItems, $out->getHeadItemsArray() );
+ $this->mPreventClickjacking = $this->mPreventClickjacking || $out->getPreventClickjacking();
}
/**
@@ -447,4 +449,15 @@ class ParserOutput extends CacheTime {
function recordOption( $option ) {
$this->mAccessedOptions[$option] = true;
}
+
+ /**
+ * Get or set the prevent-clickjacking flag
+ *
+ * @since 1.24
+ * @param boolean|null $flag New flag value, or null to leave it unchanged
+ * @return boolean Old flag value
+ */
+ public function preventClickjacking( $flag = null ) {
+ return wfSetVar( $this->mPreventClickjacking, $flag );
+ }
}
--
1.9.2.msysgit.0
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
13461
Default Alt Text
bug65778b-REL1_19.patch (3 KB)
Attached To
Mode
T67778: When special pages are included, OutputPage::$mPreventClickjacking is not respected
Attached
Detach File
Event Timeline
Log In to Comment