From 21971b28bcee9427989d4bfaf97510ea87b3ea86 Mon Sep 17 00:00:00 2001
From: csteipp
Date: Thu, 30 Aug 2012 20:40:19 -0700
Subject: [PATCH] (bug 39700) Add htmlspecialchars encoding to label
Adds htmlspecialchars encoding to the link label, passed
into Linker::makeBrokenImageLinkObj.
This fixes a stored XSS (HTML injection) vulnerability.
* Released as part of 1.20wmf10, 1.19.2, 1.18.5
Change-Id: I0e5f9eeb1f3561b1354aecced74f68ae2fa20dfa
---
includes/Linker.php | 24 ++++++++++++------------
tests/parser/parserTests.txt | 15 +++++++++++++++
2 files changed, 27 insertions(+), 12 deletions(-)
diff --git a/includes/Linker.php b/includes/Linker.php
index 7aba444050..8e31a1cf76 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -865,31 +865,31 @@ class Linker {
* Make a "broken" link to an image
*
* @param $title Title object
- * @param $html String: link label in htmlescaped text form
+ * @param $label String: link label (plain text)
* @param $query String: query string
- * @param $trail String: link trail (HTML fragment)
- * @param $prefix String: link prefix (HTML fragment)
+ * @param $unused1 Unused parameter kept for b/c
+ * @param $unused2 Unused parameter kept for b/c
* @param $time Boolean: a file of a certain timestamp was requested
* @return String
*/
- public static function makeBrokenImageLinkObj( $title, $html = '', $query = '', $trail = '', $prefix = '', $time = false ) {
+ public static function makeBrokenImageLinkObj( $title, $label = '', $query = '', $unused1 = '', $unused2 = '', $time = false ) {
global $wgEnableUploads, $wgUploadMissingFileUrl, $wgUploadNavigationUrl;
if ( ! $title instanceof Title ) {
- return "{$prefix}{$html}{$trail}";
+ return "" . htmlspecialchars( $label );
}
wfProfileIn( __METHOD__ );
+ if ( $label == '' ) {
+ $label = $title->getPrefixedText();
+ }
+ $encLabel = htmlspecialchars( $label );
$currentExists = $time ? ( wfFindFile( $title ) != false ) : false;
- list( $inside, $trail ) = self::splitTrail( $trail );
- if ( $html == '' )
- $html = htmlspecialchars( $title->getPrefixedText() );
-
if ( ( $wgUploadMissingFileUrl || $wgUploadNavigationUrl || $wgEnableUploads ) && !$currentExists ) {
$redir = RepoGroup::singleton()->getLocalRepo()->checkRedirect( $title );
if ( $redir ) {
wfProfileOut( __METHOD__ );
- return self::linkKnown( $title, "$prefix$html$inside", array(), wfCgiToArray( $query ) ) . $trail;
+ return self::linkKnown( $title, $encLabel, array(), wfCgiToArray( $query ) );
}
$href = self::getUploadUrl( $title, $query );
@@ -897,10 +897,10 @@ class Linker {
wfProfileOut( __METHOD__ );
return '' .
- "$prefix$html$inside$trail";
+ $encLabel . '';
} else {
wfProfileOut( __METHOD__ );
- return self::linkKnown( $title, "$prefix$html$inside", array(), wfCgiToArray( $query ) ) . $trail;
+ return self::linkKnown( $title, $encLabel, array(), wfCgiToArray( $query ) );
}
}
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 5036268e95..453e88a86f 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -2442,6 +2442,21 @@ Link with double quotes in title part (literal) and alternate part (interpreted)
!! end
+!! test
+Broken image links with HTML captions (bug 39700)
+!! input
+[[File:Nonexistent|]]
+[[File:Nonexistent|100px|]]
+[[File:Nonexistent|<]]
+[[File:Nonexistent|abc]]
+!! result
+<script></script>
+<script></script>
+<
+abc
+
+!! end
+
!! test
Plain link to URL
!! input
--
2.20.1