Page MenuHomePhabricator
Files F7104294

T48143-master.patch
Reedy (Sam Reed)
Actions

Authored By
Reedy
Mar 30 2017, 11:57 PM
Size
3 KB
Referenced Files
None
Subscribers
None

T48143-master.patch
View Options

From 782350a4ad7dfafe3cec2761c940ab417de32846 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Thu, 10 Mar 2016 20:08:06 -0500
Subject: [PATCH] [SECURITY] Always normalize link url before
adding to ParserOutput
Move link normalization directly into addExternalLink() method,
since you always need to do it - having it separate is just
inviting people to forget to normalize a link.
Additionally, links weren't properly registered for <gallery>.
This was somewhat unnoticed, as the call to recursiveTagParse()
would register free links, but it wouldn't work for example with
protocol relative links.
Issue originally reported by MZMcBride.
Bug: T48143
Change-Id: I557fb3b433ef9d618097b6ba4eacc6bada250ca2
---
includes/parser/Parser.php | 11 ++++-------
includes/parser/ParserOutput.php | 4 ++++
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 47d9a62..edf43a2 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -1610,9 +1610,7 @@ class Parser {
true, 'free',
$this->getExternalLinkAttribs( $url ), $this->mTitle );
# Register it in the output object...
- # Replace unnecessary URL escape codes with their equivalent characters
- $pasteurized = self::normalizeLinkUrl( $url );
- $this->mOutput->addExternalLink( $pasteurized );
+ $this->mOutput->addExternalLink( $url );
}
return $text . $trail;
}
@@ -1908,10 +1906,7 @@ class Parser {
$this->getExternalLinkAttribs( $url ), $this->mTitle ) . $dtrail . $trail;
# Register link in the output object.
- # Replace unnecessary URL escape codes with the referenced character
- # This prevents spammers from hiding links from the filters
- $pasteurized = self::normalizeLinkUrl( $url );
- $this->mOutput->addExternalLink( $pasteurized );
+ $this->mOutput->addExternalLink( $url );
}
return $s;
@@ -5086,9 +5081,11 @@ class Parser {
}
if ( preg_match( "/^($prots)$addr$chars*$/u", $linkValue ) ) {
$link = $linkValue;
+ $this->mOutput->addExternalLink( $link );
} else {
$localLinkTitle = Title::newFromText( $linkValue );
if ( $localLinkTitle !== null ) {
+ $this->mOutput->addLink( $localLinkTitle );
$link = $localLinkTitle->getLinkURL();
}
}
diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index b2f99b3..7de3b30 100644
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -535,6 +535,10 @@ class ParserOutput extends CacheTime {
# We don't register links pointing to our own server, unless... :-)
global $wgServer, $wgRegisterInternalExternals;
+ # Replace unnecessary URL escape codes with the referenced character
+ # This prevents spammers from hiding links from the filters
+ $url = parser::normalizeLinkUrl( $url );
+
$registerExternalLink = true;
if ( !$wgRegisterInternalExternals ) {
$registerExternalLink = !self::isLinkInternal( $wgServer, $url );
--
2.9.3

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4515100
Default Alt Text
T48143-master.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL