Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F72106448
01-T416090-REL1_44.patch
matmarex (Bartosz Dziewoński)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
matmarex
Feb 15 2026, 1:02 AM
2026-02-15 01:02:36 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
01-T416090-REL1_44.patch
View Options
From 088c70d65c5c73e20d475829cf871af2d0809169 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Bartosz=20Dziewo=C5=84ski?= <dziewonski@fastmail.fm>
Date: Sun, 15 Feb 2026 01:47:56 +0100
Subject: [PATCH] SECURITY: Validate link target for protection indicators help
page
Bug: T416090
Change-Id: I5fa630ca3d00e3bc98b732320ab9ffc8ff95491c
---
includes/page/Article.php | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/includes/page/Article.php b/includes/page/Article.php
index fb3a6377791..d57fe971ae7 100644
--- a/includes/page/Article.php
+++ b/includes/page/Article.php
@@ -54,6 +54,7 @@ use MediaWiki\Revision\BadRevisionException;
use MediaWiki\Revision\RevisionRecord;
use MediaWiki\Revision\RevisionStore;
use MediaWiki\Revision\SlotRecord;
+use MediaWiki\Skin\Skin;
use MediaWiki\Status\Status;
use MediaWiki\Title\Title;
use MediaWiki\User\Options\UserOptionsLookup;
@@ -663,7 +664,7 @@ class Article implements Page {
if ( $protectionHelpLink->isDisabled() ) {
$protectionHelpLink = 'https://mediawiki.org/wiki/Special:MyLanguage/Help:Protection';
} else {
- $protectionHelpLink = $protectionHelpLink->text();
+ $protectionHelpLink = Skin::makeInternalOrExternalUrl( $protectionHelpLink->text() );
}
$outputPage->setIndicators( [
--
2.45.1.windows.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
23184194
Default Alt Text
01-T416090-REL1_44.patch (1 KB)
Attached To
Mode
T416090: CVE-2026-34094: Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix
Attached
Detach File
Event Timeline
Log In to Comment