Merge "Make calling wfMangleFlashPolicy configurable"

diff --git a/RELEASE-NOTES-1.25 b/RELEASE-NOTES-1.25
index 3531cac..ae1c23e 100644 (file)
--- a/RELEASE-NOTES-1.25
+++ b/RELEASE-NOTES-1.25
@@ -21,6 +21,8 @@ production.
   RequestContext specifically.
 * Profiling was restructured and $wgProfiler now requires an 'output' parameter.
   See StartProfiler.sample for details.
+* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that
+  might be a flash policy directive configurable.
 
 === New features in 1.25 ===
 * (bug 62861) Updated plural rules to CLDR 26. Includes incompatible changes

diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index 65ad403..f93737c 100644 (file)
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -3194,6 +3194,14 @@ $wgShowRollbackEditCount = 10;
  */
 $wgEnableCanonicalServerLink = false;
 
+/**
+ * When OutputHandler is used, mangle any output that contains
+ * <cross-domain-policy>. Without this, an attacker can send their own
+ * cross-domain policy unless it is prevented by the crossdomain.xml file at
+ * the domain root.
+ */
+$wgMangleFlashPolicy = true;
+
 /** @} */ # End of output format settings }
 
 /*************************************************************************//**

diff --git a/includes/OutputHandler.php b/includes/OutputHandler.php
index b3b3b88..b0bbcdd 100644 (file)
--- a/includes/OutputHandler.php
+++ b/includes/OutputHandler.php
@@ -28,8 +28,10 @@
  * @return string
  */
 function wfOutputHandler( $s ) {
-       global $wgDisableOutputCompression, $wgValidateAllHtml;
-       $s = wfMangleFlashPolicy( $s );
+       global $wgDisableOutputCompression, $wgValidateAllHtml, $wgMangleFlashPolicy;
+       if ( $wgMangleFlashPolicy ) {
+               $s = wfMangleFlashPolicy( $s );
+       }
        if ( $wgValidateAllHtml ) {
                $headers = headers_list();
                $isHTML = false;