Page MenuHomePhabricator
Files F16333

bug71111-REL1_23.patch
Mglaser (mglaser)
Actions

Authored By
Mglaser
Nov 26 2014, 1:25 PM
Size
5 KB
Referenced Files
None
Subscribers
None

bug71111-REL1_23.patch
View Options

From c72524dfa0b97c841b809786c85dfd71941b48c6 Mon Sep 17 00:00:00 2001
From: Kevin Israel <pleasestand@live.com>
Date: Fri, 26 Sep 2014 00:38:07 -0400
Subject: [PATCH] SECURITY: Add edit token to Special:ExpandTemplates
On wikis that allow raw HTML, it is not safe to preview wikitext coming from
an untrusted source such as a cross-site request. Thus add an edit token to
the form, and when raw HTML is allowed, ensure the token is provided before
showing the preview.
Unfortunately, MediaWiki does not currently provide logged-out users with
CSRF protection; in that case, do not show the preview unless anonymous
editing is allowed (such wikis have been, and are still, vulnerable).
Change-Id: I2f1caa57e8fc705ef52fc4b6f351a174b72b33cb
---
includes/specials/SpecialExpandTemplates.php | 27 +++++++++++++++++++++++++++
languages/i18n/en.json | 4 +++-
languages/i18n/qqq.json | 4 +++-
3 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/includes/specials/SpecialExpandTemplates.php b/includes/specials/SpecialExpandTemplates.php
index 61925cf..822eb95 100644
--- a/includes/specials/SpecialExpandTemplates.php
+++ b/includes/specials/SpecialExpandTemplates.php
@@ -137,6 +137,9 @@ class SpecialExpandTemplates extends SpecialPage {
*/
private function makeForm( $title, $input ) {
$self = $this->getPageTitle();
+ $request = $this->getRequest();
+ $user = $this->getUser();
+
$form = Xml::openElement(
'form',
array( 'method' => 'post', 'action' => $self->getLocalUrl() )
@@ -192,6 +195,7 @@ class SpecialExpandTemplates extends SpecialPage {
array( 'accesskey' => 's' )
) . '</p>';
$form .= "</fieldset>\n";
+ $form .= Html::hidden( 'wpEditToken', $user->getEditToken( '', $request ) );
$form .= Xml::closeElement( 'form' );
return $form;
@@ -244,6 +248,29 @@ class SpecialExpandTemplates extends SpecialPage {
private function showHtmlPreview( Title $title, $html, OutputPage $out ) {
$lang = $title->getPageViewLanguage();
$out->addHTML( "<h2>" . $this->msg( 'expand_templates_preview' )->escaped() . "</h2>\n" );
+
+ if ( $this->getConfig()->get( 'RawHtml' ) ) {
+ $request = $this->getRequest();
+ $user = $this->getUser();
+
+ // To prevent cross-site scripting attacks, don't show the preview if raw HTML is
+ // allowed and a valid edit token is not provided (bug 71111). However, MediaWiki
+ // does not currently provide logged-out users with CSRF protection; in that case,
+ // do not show the preview unless anonymous editing is allowed.
+ if ( $user->isAnon() && !$user->isAllowed( 'edit' ) ) {
+ $error = array( 'expand_templates_preview_fail_html_anon' );
+ } elseif ( !$user->matchEditToken( $request->getVal( 'wpEditToken' ), '', $request ) ) {
+ $error = array( 'expand_templates_preview_fail_html' );
+ } else {
+ $error = false;
+ }
+
+ if ( $error ) {
+ $out->wrapWikiMsg( "<div class='previewnote'>\n$1\n</div>", $error );
+ return;
+ }
+ }
+
$out->addHTML( Html::openElement( 'div', array(
'class' => 'mw-content-' . $lang->getDir(),
'dir' => $lang->getDir(),
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index 68fe913..51ea901 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -3531,5 +3531,7 @@
"expand_templates_remove_nowiki": "Suppress <nowiki> tags in result",
"expand_templates_generate_xml": "Show XML parse tree",
"expand_templates_generate_rawhtml": "Show raw HTML",
- "expand_templates_preview": "Preview"
+ "expand_templates_preview": "Preview",
+ "expand_templates_preview_fail_html": "<em>Because {{SITENAME}} has raw HTML enabled and there was a loss of session data, the preview is hidden as a precaution against JavaScript attacks.</em>\n\n<strong>If this is a legitimate preview attempt, please try again.</strong>\nIf it still does not work, try [[Special:UserLogout|logging out]] and logging back in.",
+ "expand_templates_preview_fail_html_anon": "<em>Because {{SITENAME}} has raw HTML enabled and you are not logged in, the preview is hidden as a precaution against JavaScript attacks.</em>\n\n<strong>If this is a legitimate preview attempt, please [[Special:UserLogin|log in]] and try again.</strong>"
}
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index f69669b..e9bcd44 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -3694,5 +3694,7 @@
"expand_templates_remove_nowiki": "Option on [[Special:Expandtemplates]]\n\nHere's what the tick box does:\n\nFor:\n<pre>\n&lt;nowiki>test&lt;/nowiki>\n</pre>\n\nNot ticked:\n<pre>\n&lt;nowiki>test&lt;/nowiki>\n</pre>\n\nTicked:\n<pre>\ntest\n</pre>",
"expand_templates_generate_xml": "Used as checkbox label.",
"expand_templates_generate_rawhtml": "Used as checkbox label.",
- "expand_templates_preview": "{{Identical|Preview}}"
+ "expand_templates_preview": "{{Identical|Preview}}",
+ "expand_templates_preview_fail_html": "Used as error message in Preview section of [[Special:ExpandTemplates]] page.",
+ "expand_templates_preview_fail_html_anon": "Used as error message in Preview section of [[Special:ExpandTemplates]] page."
}
--
1.9.2.msysgit.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15699
Default Alt Text
bug71111-REL1_23.patch (5 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL