Page MenuHomePhabricator

0001-SECURITY-Don-t-execute-another-user-s-CSS-or-JS-on-p.patch

Authored By
Anomie
Feb 10 2015, 10:12 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Don-t-execute-another-user-s-CSS-or-JS-on-p.patch

From 069dd04759a176dc00a0cc71c7e4d0753ef14abb Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 5 Jan 2015 16:31:26 -0500
Subject: [PATCH] SECURITY: Don't execute another user's CSS or JS on preview
Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.
Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
---
includes/EditPage.php | 26 ++++++++++++++------------
includes/OutputPage.php | 4 ++++
2 files changed, 18 insertions(+), 12 deletions(-)
diff --git a/includes/EditPage.php b/includes/EditPage.php
index 4370295..4706e8e 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -2734,19 +2734,21 @@ class EditPage {
array( 'userinvalidcssjstitle', $this->mTitle->getSkinFromCssJsSubpage() )
);
}
- if ( $this->formtype !== 'preview' ) {
- if ( $this->isCssSubpage && $wgAllowUserCss ) {
- $wgOut->wrapWikiMsg(
- "<div id='mw-usercssyoucanpreview'>\n$1\n</div>",
- array( 'usercssyoucanpreview' )
- );
- }
+ if ( $this->getTitle()->isSubpageOf( $wgUser->getUserPage() ) ) {
+ if ( $this->formtype !== 'preview' ) {
+ if ( $this->isCssSubpage && $wgAllowUserCss ) {
+ $wgOut->wrapWikiMsg(
+ "<div id='mw-usercssyoucanpreview'>\n$1\n</div>",
+ array( 'usercssyoucanpreview' )
+ );
+ }
- if ( $this->isJsSubpage && $wgAllowUserJs ) {
- $wgOut->wrapWikiMsg(
- "<div id='mw-userjsyoucanpreview'>\n$1\n</div>",
- array( 'userjsyoucanpreview' )
- );
+ if ( $this->isJsSubpage && $wgAllowUserJs ) {
+ $wgOut->wrapWikiMsg(
+ "<div id='mw-userjsyoucanpreview'>\n$1\n</div>",
+ array( 'userjsyoucanpreview' )
+ );
+ }
}
}
}
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index f8d5ab7..ac771d2 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3275,6 +3275,10 @@ class OutputPage extends ContextSource {
if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
return false;
}
+ if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+ // Don't execute another user's CSS or JS on preview (T85855)
+ return false;
+ }
return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
}
--
2.1.4

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
37318
Default Alt Text
0001-SECURITY-Don-t-execute-another-user-s-CSS-or-JS-on-p.patch (2 KB)

Event Timeline