Page MenuHomePhabricator
Files F26664

SECURITY:_Don_t_execute_another_user_s_CSS_or_JS_on_preview
No One
Actions

Authored By
Anomie
Jan 5 2015, 9:34 PM
Size
1 KB
Referenced Files
None
Subscribers
None

SECURITY:_Don_t_execute_another_user_s_CSS_or_JS_on_preview
View Options

From 6fffd484113ba86a14056c2fe18d0ab4a3307813 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 5 Jan 2015 16:31:26 -0500
Subject: [PATCH] SECURITY: Don't execute another user's CSS or JS on preview
Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.
Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
---
includes/OutputPage.php | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index f8d5ab7..ac771d2 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3275,6 +3275,10 @@ class OutputPage extends ContextSource {
if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
return false;
}
+ if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+ // Don't execute another user's CSS or JS on preview (T85855)
+ return false;
+ }
return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
}
--
2.1.4

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
25488
Default Alt Text
SECURITY:_Don_t_execute_another_user_s_CSS_or_JS_on_preview (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL