Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F4426193
SECURITY: Disallow user CSS/JS when centralauthtoken is in use.patch
Anomie
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Anomie
Sep 2 2016, 2:08 PM
2016-09-02 14:08:57 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
SECURITY: Disallow user CSS/JS when centralauthtoken is in use.patch
View Options
From e6848adfd6f1949ffe821eae3d473c34b92e9dc7 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 2 Sep 2016 09:57:12 -0400
Subject: [PATCH] SECURITY: Disallow user CSS/JS when centralauthtoken is in
use
This prevents an attacker from putting something bad in their
User:Me/apioutput.js or User:Me/apioutput.css and then using
centralauthtoken to cause it to be loaded for some other user.
Bug: T144573
Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7
---
includes/session/CentralAuthTokenSessionProvider.php | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/includes/session/CentralAuthTokenSessionProvider.php b/includes/session/CentralAuthTokenSessionProvider.php
index 161b3de..7662ffe 100644
--- a/includes/session/CentralAuthTokenSessionProvider.php
+++ b/includes/session/CentralAuthTokenSessionProvider.php
@@ -21,6 +21,7 @@ class CentralAuthTokenSessionProvider extends \MediaWiki\Session\SessionProvider
parent::__construct();
$wgHooks['APIGetAllowedParams'][] = $this;
+ $wgHooks['BeforePageDisplay'][] = $this;
}
/**
@@ -216,4 +217,21 @@ class CentralAuthTokenSessionProvider extends \MediaWiki\Session\SessionProvider
return true;
}
+ /**
+ * Prevent user scripts and styles when centralauthtoken is in use
+ * @param OutputPage $out
+ * @return bool
+ */
+ public function onBeforePageDisplay( $out ) {
+ if ( $out->getRequest()->getSession()->getProvider() instanceof CentralAuthTokenSessionProvider ) {
+ $out->reduceAllowedModules(
+ ResourceLoaderModule::TYPE_SCRIPTS, ResourceLoaderModule::ORIGIN_USER_SITEWIDE
+ );
+ $out->reduceAllowedModules(
+ ResourceLoaderModule::TYPE_STYLES, ResourceLoaderModule::ORIGIN_USER_SITEWIDE
+ );
+ }
+ return true;
+ }
+
}
--
2.9.3
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3952862
Default Alt Text
SECURITY: Disallow user CSS/JS when centralauthtoken is in use.patch (1 KB)
Attached To
Mode
T144573: XSS using centralauthtoken and special:MyPage/apioutput.js
Attached
Detach File
Event Timeline
Anomie
updated the name for this file from "
0001-SECURITY-Disallow-user-CSS-JS-when-centralauthtoken-.patch
" to "
SECURITY: Disallow user CSS/JS when centralauthtoken is in use.patch
".
Sep 2 2016, 2:10 PM
2016-09-02 14:10:46 (UTC+0)
Log In to Comment