Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F26664
SECURITY:_Don_t_execute_another_user_s_CSS_or_JS_on_preview
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Anomie
Jan 5 2015, 9:34 PM
2015-01-05 21:34:07 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
SECURITY:_Don_t_execute_another_user_s_CSS_or_JS_on_preview
View Options
From 6fffd484113ba86a14056c2fe18d0ab4a3307813 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 5 Jan 2015 16:31:26 -0500
Subject: [PATCH] SECURITY: Don't execute another user's CSS or JS on preview
Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.
Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
---
includes/OutputPage.php | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index f8d5ab7..ac771d2 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3275,6 +3275,10 @@ class OutputPage extends ContextSource {
if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
return false;
}
+ if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+ // Don't execute another user's CSS or JS on preview (T85855)
+ return false;
+ }
return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
}
--
2.1.4
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
25488
Default Alt Text
SECURITY:_Don_t_execute_another_user_s_CSS_or_JS_on_preview (1 KB)
Attached To
Mode
T85855: Custom JavaScript may yield privilege escalation
Attached
Detach File
Event Timeline
Log In to Comment