Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F5529220
T155277.patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Bawolff
Feb 7 2017, 10:11 AM
2017-02-07 10:11:25 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T155277.patch
View Options
From dd6c6d0148253e9b8e2a9501e1af4872ae386047 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 6 Feb 2017 05:46:13 +0000
Subject: [PATCH] SECURITY: [XSS] Ensure portal url parameter is a valid title.
TitleValue is not supposed to be used on untrusted input. This
could lead to XSS on raw html wikis via a url like:
?portal=ns:0}}<html><script>alert(1)</script></html>
Bug: T155277
---
includes/PortalSpecialPage.php | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/includes/PortalSpecialPage.php b/includes/PortalSpecialPage.php
index 3e2f9d1..b68c30d 100644
--- a/includes/PortalSpecialPage.php
+++ b/includes/PortalSpecialPage.php
@@ -93,10 +93,13 @@ class PortalSpecialPage extends UnlistedSpecialPage {
throw new MWException( 'bad function name #2 in portal parameter' );
}
}
- $tv = new TitleValue( NS_MODULE, $portal );
- $info = "Module:{$tv->getText()}|$func" . ( $func2 ? "|$func2" : '' );
+ $title = Title::makeTitleSafe( NS_MODULE, $portal );
+ if ( !$title ) {
+ throw new MWException( "Invalid portal module specified - $portal" );
+ }
+ $info = "Module:{$title->getText()}|$func" . ( $func2 ? "|$func2" : '' );
$out->setHTMLTitle( $info );
- $module = $tv->getDBkey();
+ $module = $title->getDBkey();
}
// Zero administrators can use 'portal' parameter to see what another user would see
$impersonate = $req->getVal( 'impersonate' );
--
1.9.5 (Apple Git-50.3)
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4344668
Default Alt Text
T155277.patch (1 KB)
Attached To
Mode
T155277: XSS in ZeroPortal against users with zero-edit rights
Attached
Detach File
Event Timeline
Log In to Comment