Page MenuHomePhabricator
Files F285506

disallowNonWikitext_T107170.patch
Mattflaschen-WMF (Matthew Flaschen)
Actions

Authored By
Mattflaschen-WMF
Jul 30 2015, 4:36 AM
Size
1 KB
Referenced Files
None
Subscribers
None

disallowNonWikitext_T107170.patch
View Options

From 023ebee27c773f6fc74b4e258d8e3914b0183dba Mon Sep 17 00:00:00 2001
From: Matthew Flaschen <mflaschen@wikimedia.org>
Date: Thu, 30 Jul 2015 00:28:41 -0400
Subject: [PATCH] SECURITY: Disallow extracts for non-wikitext for now.
Note that the sensitive information is still in the TextExtracts
memcached, so this requires security review (and either eviction
or a cache key change) before enabling other content models.
Bug: T107170
---
includes/ApiQueryExtracts.php | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/includes/ApiQueryExtracts.php b/includes/ApiQueryExtracts.php
index 97c560f..efbbd52 100644
--- a/includes/ApiQueryExtracts.php
+++ b/includes/ApiQueryExtracts.php
@@ -43,6 +43,13 @@ class ApiQueryExtracts extends ApiQueryBase {
*/
private $config;
+ // TODO: Allow extensions to hook into this to opt-in.
+ // This is partly for security reasons; see T107170.
+ /**
+ * @var array
+ */
+ private $supportedContentModels = array( 'wikitext' );
+
public function __construct( $query, $moduleName, Config $conf ) {
parent::__construct( $query, $moduleName, 'ex' );
$this->config = $conf;
@@ -105,6 +112,13 @@ class ApiQueryExtracts extends ApiQueryBase {
* @return string
*/
private function getExtract( Title $title ) {
+ $contentModel = $title->getContentModel();
+ if ( !in_array( $contentModel, $this->supportedContentModels, true ) ) {
+ $this->setWarning( "'$contentModel' is not a supported content model. Returning an empty extract." );
+ return '';
+ }
+
+
$page = WikiPage::factory( $title );
$introOnly = $this->params['intro'];
--
2.1.4

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
273644
Default Alt Text
disallowNonWikitext_T107170.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits