Page MenuHomePhabricator
Files F4426193

SECURITY: Disallow user CSS/JS when centralauthtoken is in use.patch
Anomie
Actions

Authored By
Anomie
Sep 2 2016, 2:08 PM
Size
1 KB
Referenced Files
None
Subscribers
None

SECURITY: Disallow user CSS/JS when centralauthtoken is in use.patch
View Options

From e6848adfd6f1949ffe821eae3d473c34b92e9dc7 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 2 Sep 2016 09:57:12 -0400
Subject: [PATCH] SECURITY: Disallow user CSS/JS when centralauthtoken is in
use
This prevents an attacker from putting something bad in their
User:Me/apioutput.js or User:Me/apioutput.css and then using
centralauthtoken to cause it to be loaded for some other user.
Bug: T144573
Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7
---
includes/session/CentralAuthTokenSessionProvider.php | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/includes/session/CentralAuthTokenSessionProvider.php b/includes/session/CentralAuthTokenSessionProvider.php
index 161b3de..7662ffe 100644
--- a/includes/session/CentralAuthTokenSessionProvider.php
+++ b/includes/session/CentralAuthTokenSessionProvider.php
@@ -21,6 +21,7 @@ class CentralAuthTokenSessionProvider extends \MediaWiki\Session\SessionProvider
parent::__construct();
$wgHooks['APIGetAllowedParams'][] = $this;
+ $wgHooks['BeforePageDisplay'][] = $this;
}
/**
@@ -216,4 +217,21 @@ class CentralAuthTokenSessionProvider extends \MediaWiki\Session\SessionProvider
return true;
}
+ /**
+ * Prevent user scripts and styles when centralauthtoken is in use
+ * @param OutputPage $out
+ * @return bool
+ */
+ public function onBeforePageDisplay( $out ) {
+ if ( $out->getRequest()->getSession()->getProvider() instanceof CentralAuthTokenSessionProvider ) {
+ $out->reduceAllowedModules(
+ ResourceLoaderModule::TYPE_SCRIPTS, ResourceLoaderModule::ORIGIN_USER_SITEWIDE
+ );
+ $out->reduceAllowedModules(
+ ResourceLoaderModule::TYPE_STYLES, ResourceLoaderModule::ORIGIN_USER_SITEWIDE
+ );
+ }
+ return true;
+ }
+
}
--
2.9.3

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3952862
Default Alt Text
SECURITY: Disallow user CSS/JS when centralauthtoken is in use.patch (1 KB)

Event Timeline

Anomie updated the name for this file from "0001-SECURITY-Disallow-user-CSS-JS-when-centralauthtoken-.patch" to "SECURITY: Disallow user CSS/JS when centralauthtoken is in use.patch".Sep 2 2016, 2:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL