T155277.patch
No One
Actions

Authored By

	Bawolff
	Feb 7 2017, 10:11 AM

Size

1 KB

Referenced Files

None

Subscribers

None

T155277.patch
View Options

	From dd6c6d0148253e9b8e2a9501e1af4872ae386047 Mon Sep 17 00:00:00 2001
	From: Brian Wolff <bawolff+wn@gmail.com>
	Date: Mon, 6 Feb 2017 05:46:13 +0000
	Subject: [PATCH] SECURITY: [XSS] Ensure portal url parameter is a valid title.

	TitleValue is not supposed to be used on untrusted input. This
	could lead to XSS on raw html wikis via a url like:
	?portal=ns:0}}<html><script>alert(1)</script></html>

	Bug: T155277
	---
	includes/PortalSpecialPage.php \| 9 ++++++---
	1 file changed, 6 insertions(+), 3 deletions(-)

	diff --git a/includes/PortalSpecialPage.php b/includes/PortalSpecialPage.php
	index 3e2f9d1..b68c30d 100644
	--- a/includes/PortalSpecialPage.php
	+++ b/includes/PortalSpecialPage.php
	@@ -93,10 +93,13 @@ class PortalSpecialPage extends UnlistedSpecialPage {
	throw new MWException( 'bad function name #2 in portal parameter' );
	}
	}
	- $tv = new TitleValue( NS_MODULE, $portal );
	- $info = "Module:{$tv->getText()}\|$func" . ( $func2 ? "\|$func2" : '' );
	+ $title = Title::makeTitleSafe( NS_MODULE, $portal );
	+ if ( !$title ) {
	+ throw new MWException( "Invalid portal module specified - $portal" );
	+ }
	+ $info = "Module:{$title->getText()}\|$func" . ( $func2 ? "\|$func2" : '' );
	$out->setHTMLTitle( $info );
	- $module = $tv->getDBkey();
	+ $module = $title->getDBkey();
	}
	// Zero administrators can use 'portal' parameter to see what another user would see
	$impersonate = $req->getVal( 'impersonate' );
	--
	1.9.5 (Apple Git-50.3)