From 2d92044bb7e31646bbd8432ed7440b211ec707c1 Mon Sep 17 00:00:00 2001 From: Daniel Cannon Date: Sun, 15 Jul 2007 04:57:45 +0000 Subject: [PATCH] Security fix: Previously it was possible to include unprotected and even content pages in site and user jss/css pages via action=raw. Now when requesting a page as text/javascript or text/css, if it should not contain such content, it simply returns '/* EMPTY */'. --- RELEASE-NOTES | 2 ++ includes/RawPage.php | 9 ++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index e77c50089a..40ba59a21a 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -293,6 +293,8 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN * Don't show non-functional toolbar buttons on Opera 7 anymore * (bug 9151) Fix relative subpage links with section fragments * (bug 10560) Adding a space between category letter heading and "continues" +* Security fix: Disable retrieving pages as raw js/css that should not contain + such content. == API changes since 1.10 == diff --git a/includes/RawPage.php b/includes/RawPage.php index 9df94e50af..4b27823711 100644 --- a/includes/RawPage.php +++ b/includes/RawPage.php @@ -145,7 +145,14 @@ class RawPage { } function getRawText() { - global $wgUser, $wgOut, $wgRequest; + global $wgUser, $wgOut, $wgRequest, $wgJsMimeType; + + /* Disable retrieving content pages as raw js/css */ + $dangerousTypes = array( $wgJsMimeType, 'text/css' ); + if ( in_array( $this->mContentType, $dangerousTypes ) && + !($this->mTitle->isCssOrJsPage() || $this->mTitle->isCssJsSubpage() ) ) + return '/* EMPTY */'; + if($this->mGen) { $sk = $wgUser->getSkin(); $sk->initPage($wgOut); -- 2.20.1