bug-34907-v2.patch
Public
Actions

Authored By

	• bzimport
	Nov 22 2014, 12:19 AM

Size

11 KB

Referenced Files

None

Subscribers

None

bug-34907-v2.patch
View Options

	Index: RELEASE-NOTES-1.19
	===================================================================
	--- RELEASE-NOTES-1.19 (revision 113338)
	+++ RELEASE-NOTES-1.19 (working copy)
	@@ -24,6 +24,7 @@
	* (bug 32239) Removed $wgEnableTooltipsAndAccesskeys.
	* Removed $wgVectorShowVariantName.
	* Removed $wgExtensionAliasesFiles. Use $wgExtensionMessagesFiles.
	+* Removed $wgResourceLoaderInlinePrivateModules , now always enabled.

	=== New features in 1.19 ===
	* (bug 19838) Add ability to get all interwiki prefixes also if the interwiki
	@@ -261,6 +262,8 @@
	* (bug 34604) [mw.config] wgActionPaths should be an object instead of a numeral
	array.
	* (bug 29753) mw.util.tooltipAccessKeyPrefix should be alt-shift for Chrome on Windows
	+* (bug 34907) Fixed exposure of tokens through load.php that could have facilitated
	+ CSRF attacks

	=== API changes in 1.19 ===
	* Made action=edit less likely to return "unknownerror", by returning the actual error
	Index: includes/OutputPage.php
	===================================================================
	--- includes/OutputPage.php (revision 113338)
	+++ includes/OutputPage.php (working copy)
	@@ -2505,7 +2505,7 @@
	* @return string html <script> and <style> tags
	*/
	protected function makeResourceLoaderLink( $modules, $only, $useESI = false, array $extraQuery = array(), $loadCall = false ) {
	- global $wgResourceLoaderUseESI, $wgResourceLoaderInlinePrivateModules;
	+ global $wgResourceLoaderUseESI;

	if ( !count( $modules ) ) {
	return '';
	@@ -2584,10 +2584,11 @@
	continue;
	}

	- // Support inlining of private modules if configured as such. Note that these
	- // modules should be loaded from getHeadScripts() before the first loader call.
	- // Otherwise other modules can't properly use them as dependencies (bug 30914)
	- if ( $group === 'private' && $wgResourceLoaderInlinePrivateModules ) {
	+ // Inline private modules. These can't be loaded through load.php for security
	+ // reasons, see bug 34907. Note that these modules should be loaded from
	+ // getHeadScripts() before the first loader call. Otherwise other modules can't
	+ // properly use them as dependencies (bug 30914)
	+ if ( $group === 'private' ) {
	if ( $only == ResourceLoaderModule::TYPE_STYLES ) {
	$links .= Html::inlineStyle(
	$resourceLoader->makeModuleResponse( $context, $modules )
	Index: includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php
	===================================================================
	--- includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php (revision 113338)
	+++ includes/resourceloader/ResourceLoaderUserCSSPrefsModule.php (working copy)
	@@ -44,41 +44,18 @@
	}

	global $wgUser;
	-
	- if ( $context->getUser() === $wgUser->getName() ) {
	- return $this->modifiedTime[$hash] = wfTimestamp( TS_UNIX, $wgUser->getTouched() );
	- } else {
	- return 1;
	- }
	+ return $this->modifiedTime[$hash] = wfTimestamp( TS_UNIX, $wgUser->getTouched() );
	}
	-
	- /**
	- * Fetch the context's user options, or if it doesn't match current user,
	- * the default options.
	- *
	- * @param $context ResourceLoaderContext: Context object
	- * @return Array: List of user options keyed by option name
	- */
	- protected function contextUserOptions( ResourceLoaderContext $context ) {
	- global $wgUser;
	-
	- // Verify identity -- this is a private module
	- if ( $context->getUser() === $wgUser->getName() ) {
	- return $wgUser->getOptions();
	- } else {
	- return User::getDefaultOptions();
	- }
	- }

	/**
	* @param $context ResourceLoaderContext
	* @return array
	*/
	public function getStyles( ResourceLoaderContext $context ) {
	- global $wgAllowUserCssPrefs;
	+ global $wgAllowUserCssPrefs, $wgUser;

	if ( $wgAllowUserCssPrefs ) {
	- $options = $this->contextUserOptions( $context );
	+ $options = $wgUser->getOptions();

	// Build CSS rules
	$rules = array();
	Index: includes/resourceloader/ResourceLoader.php
	===================================================================
	--- includes/resourceloader/ResourceLoader.php (revision 113338)
	+++ includes/resourceloader/ResourceLoader.php (working copy)
	@@ -173,7 +173,7 @@
	$cache->set( $key, $result );
	} catch ( Exception $exception ) {
	// Return exception as a comment
	- $result = "/\n{$exception->__toString()}\n/\n";
	+ $result = $this->makeComment( $exception->__toString() );
	}

	wfProfileOut( __METHOD__ );
	@@ -431,13 +431,20 @@
	ob_start();

	wfProfileIn( __METHOD__ );
	- $exceptions = '';
	+ $errors = '';

	// Split requested modules into two groups, modules and missing
	$modules = array();
	$missing = array();
	foreach ( $context->getModules() as $name ) {
	if ( isset( $this->moduleInfos[$name] ) ) {
	+ $module = $this->getModule( $name );
	+ // Do not allow private modules to be loaded from the web.
	+ // This is a security issue, see bug 34907.
	+ if ( $module->getGroup() === 'private' ) {
	+ $errors .= $this->makeComment( "Cannot show private module \"$name\"" );
	+ continue;
	+ }
	$modules[$name] = $this->getModule( $name );
	} else {
	$missing[] = $name;
	@@ -449,12 +456,11 @@
	$this->preloadModuleInfo( array_keys( $modules ), $context );
	} catch( Exception $e ) {
	// Add exception to the output as a comment
	- $exceptions .= "/\n{$e->__toString()}\n/\n";
	+ $errors .= $this->makeComment( $e->__toString() );
	}

	wfProfileIn( __METHOD__.'-getModifiedTime' );

	- $private = false;
	// To send Last-Modified and support If-Modified-Since, we need to detect
	// the last modified time
	$mtime = wfTimestamp( TS_UNIX, $wgCacheEpoch );
	@@ -463,22 +469,18 @@
	* @var $module ResourceLoaderModule
	*/
	try {
	- // Bypass Squid and other shared caches if the request includes any private modules
	- if ( $module->getGroup() === 'private' ) {
	- $private = true;
	- }
	// Calculate maximum modified time
	$mtime = max( $mtime, $module->getModifiedTime( $context ) );
	} catch ( Exception $e ) {
	// Add exception to the output as a comment
	- $exceptions .= "/\n{$e->__toString()}\n/\n";
	+ $errors .= $this->makeComment( $e->__toString() );
	}
	}

	wfProfileOut( __METHOD__.'-getModifiedTime' );

	// Send content type and cache related headers
	- $this->sendResponseHeaders( $context, $mtime, $private );
	+ $this->sendResponseHeaders( $context, $mtime );

	// If there's an If-Modified-Since header, respond with a 304 appropriately
	if ( $this->tryRespondLastModified( $context, $mtime ) ) {
	@@ -490,20 +492,20 @@
	$response = $this->makeModuleResponse( $context, $modules, $missing );

	// Prepend comments indicating exceptions
	- $response = $exceptions . $response;
	+ $response = $errors . $response;

	// Capture any PHP warnings from the output buffer and append them to the
	// response in a comment if we're in debug mode.
	if ( $context->getDebug() && strlen( $warnings = ob_get_contents() ) ) {
	- $response = "/\n$warnings\n/\n" . $response;
	+ $response = $this->makeComment( $warnings ) . $response;
	}

	// Remove the output buffer and output the response
	ob_end_clean();
	echo $response;

	- // Save response to file cache unless there are private modules or errors
	- if ( isset( $fileCache ) && !$private && !$exceptions && !$missing ) {
	+ // Save response to file cache unless there are errors
	+ if ( isset( $fileCache ) && !$errors && !$missing ) {
	// Cache single modules...and other requests if there are enough hits
	if ( ResourceFileCache::useFileCache( $context ) ) {
	if ( $fileCache->isCacheWorthy() ) {
	@@ -521,10 +523,9 @@
	* Send content type and last modified headers to the client.
	* @param $context ResourceLoaderContext
	* @param $mtime string TS_MW timestamp to use for last-modified
	- * @param $private bool True iff response contains any private modules
	* @return void
	*/
	- protected function sendResponseHeaders( ResourceLoaderContext $context, $mtime, $private ) {
	+ protected function sendResponseHeaders( ResourceLoaderContext $context, $mtime ) {
	global $wgResourceLoaderMaxage;
	// If a version wasn't specified we need a shorter expiry time for updates
	// to propagate to clients quickly
	@@ -548,13 +549,8 @@
	header( 'Cache-Control: private, no-cache, must-revalidate' );
	header( 'Pragma: no-cache' );
	} else {
	- if ( $private ) {
	- header( "Cache-Control: private, max-age=$maxage" );
	- $exp = $maxage;
	- } else {
	- header( "Cache-Control: public, max-age=$maxage, s-maxage=$smaxage" );
	- $exp = min( $maxage, $smaxage );
	- }
	+ header( "Cache-Control: public, max-age=$maxage, s-maxage=$smaxage" );
	+ $exp = min( $maxage, $smaxage );
	header( 'Expires: ' . wfTimestamp( TS_RFC2822, $exp + time() ) );
	}
	}
	@@ -651,6 +647,11 @@
	return false; // cache miss
	}

	+ protected function makeComment( $text ) {
	+ $encText = str_replace( '/', ' /', $text );
	+ return "/\n$encText\n/\n";
	+ }
	+
	/**
	* Generates code for a response
	*
	@@ -675,7 +676,7 @@
	$blobs = MessageBlobStore::get( $this, $modules, $context->getLanguage() );
	} catch ( Exception $e ) {
	// Add exception to the output as a comment
	- $exceptions .= "/\n{$e->__toString()}\n/\n";
	+ $exceptions .= $this->makeComment( $e->__toString() );
	}
	} else {
	$blobs = array();
	@@ -754,7 +755,7 @@
	}
	} catch ( Exception $e ) {
	// Add exception to the output as a comment
	- $exceptions .= "/\n{$e->__toString()}\n/\n";
	+ $exceptions .= $this->makeComment( $e->__toString() );

	// Register module as missing
	$missing[] = $name;
	Index: includes/resourceloader/ResourceLoaderUserOptionsModule.php
	===================================================================
	--- includes/resourceloader/ResourceLoaderUserOptionsModule.php (revision 113338)
	+++ includes/resourceloader/ResourceLoaderUserOptionsModule.php (working copy)
	@@ -42,41 +42,19 @@
	if ( isset( $this->modifiedTime[$hash] ) ) {
	return $this->modifiedTime[$hash];
	}
	-
	+
	global $wgUser;
	-
	- if ( $context->getUser() === $wgUser->getName() ) {
	- return $this->modifiedTime[$hash] = wfTimestamp( TS_UNIX, $wgUser->getTouched() );
	- } else {
	- return 1;
	- }
	+ return $this->modifiedTime[$hash] = wfTimestamp( TS_UNIX, $wgUser->getTouched() );
	}

	/**
	- * Fetch the context's user options, or if it doesn't match current user,
	- * the default options.
	- *
	- * @param $context ResourceLoaderContext: Context object
	- * @return Array: List of user options keyed by option name
	- */
	- protected function contextUserOptions( ResourceLoaderContext $context ) {
	- global $wgUser;
	-
	- // Verify identity -- this is a private module
	- if ( $context->getUser() === $wgUser->getName() ) {
	- return $wgUser->getOptions();
	- } else {
	- return User::getDefaultOptions();
	- }
	- }
	-
	- /**
	* @param $context ResourceLoaderContext
	* @return string
	*/
	public function getScript( ResourceLoaderContext $context ) {
	+ global $wgUser;
	return Xml::encodeJsCall( 'mw.user.options.set',
	- array( $this->contextUserOptions( $context ) ) );
	+ array( $wgUser->getOptions() ) );
	}

	/**
	Index: includes/DefaultSettings.php
	===================================================================
	--- includes/DefaultSettings.php (revision 113338)
	+++ includes/DefaultSettings.php (working copy)
	@@ -2582,13 +2582,6 @@
	);

	/**
	- * Whether to embed private modules inline with HTML output or to bypass
	- * caching and check the user parameter against $wgUser to prevent
	- * unauthorized access to private modules.
	- */
	-$wgResourceLoaderInlinePrivateModules = true;
	-
	-/**
	* The default debug mode (on/off) for of ResourceLoader requests. This will still
	* be overridden when the debug URL parameter is used.
	*/

File Metadata

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 8694
Default Alt Text: bug-34907-v2.patch (11 KB)

bug-34907-v2.patchPublicActions

bug-34907-v2.patchView Options

File Metadata

Event Timeline

bug-34907-v2.patch
Public
Actions

bug-34907-v2.patch
View Options