From 33b7c11dedde893dd3a798f99ff4ab3ee598e912 Mon Sep 17 00:00:00 2001
From: Nick Jenkins <nickj@users.mediawiki.org>
Date: Thu, 19 Oct 2006 08:18:19 +0000
Subject: [PATCH] * Don't give attackers an opening by echoing back known bad
 parameter inputs. * Create magic links only using a whitelist of protocols.

Have no proof of vuln, but allowing the user to make JavaScript links and have a lot of control over what goes into them probably isn't desirable.
Example attack input:
  http://en.wikipedia.org/w/api.php?action=query&meta=javascript://**/alert(1);

Example pre-patch HTML output contains this string:
  <a href="javascript://**/alert">javascript://**/alert</a>(1);
Which doesn't work, due to:
 1) the double slash - one slash someone can work around by faking a C-style comment (by appending "**/" as shown above), but two is a problem
 2) the parentheses being excluded, so we can't pass parameters
... but best to put a stop to it anyway.
---
 includes/api/ApiBase.php       | 2 +-
 includes/api/ApiFormatBase.php | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index b37ed66a7d..719d724127 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -356,7 +356,7 @@ abstract class ApiBase {
 		if (is_array($allowedValues)) {
 			$unknownValues = array_diff($valuesList, $allowedValues);
 			if ($unknownValues) {
-				$this->dieUsage('Unrecognised value' . (count($unknownValues) > 1 ? "s '" : " '") . implode("', '", $unknownValues) . "' for parameter '$valueName'", "unknown_$valueName");
+				$this->dieUsage('Unrecognised value' . (count($unknownValues) > 1 ? "s" : "") . " for parameter '$valueName'", "unknown_$valueName");
 			}
 		}
 
diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index da515d51e7..9bc4e425c3 100644
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -147,7 +147,8 @@ for more information.
 		// encode all tags as safe blue strings
 		$text = ereg_replace('\<([^>]+)\>', '<span style="color:blue;">&lt;\1&gt;</span>', $text);
 		// identify URLs
-		$text = ereg_replace("[a-zA-Z]+://[^ '\"()<\n]+", '<a href="\\0">\\0</a>', $text);
+		$protos = "http|https|ftp|gopher";
+		$text = ereg_replace("($protos)://[^ '\"()<\n]+", '<a href="\\0">\\0</a>', $text);
 		// identify requests to api.php
 		$text = ereg_replace("api\\.php\\?[^ ()<\n\t]+", '<a href="\\0">\\0</a>', $text);
 		// make strings inside * bold
-- 
2.20.1