From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 29 Jan 2016 09:46:32 +0000 (-0500)
Subject: Require strip marker names to not have & ' " < or > in them
X-Git-Tag: 1.31.0-rc.0~6977^2
X-Git-Url: http://git.cyclocoop.org/%40spipnet%40?a=commitdiff_plain;h=939faea318d9c2107fab3a584bc1c023f3c592e9;p=lhc%2Fweb%2Fwiklou.git

Require strip marker names to not have & ' " < or > in them

This is a little far fetched, but meant as a hardening step. No
valid strip marker name should have any of those things in them.
If a malicious user managed to somehow control the strip marker name,
he could make a strip marker that "spanned" different html contexts.
Note: I've checked carefully - its impossible for a user to control
the strip marker name. This is just a hardening step against any
future features.

For example, if someone could make a strip marker using the marker
name "a&#039;,&#039;b", then they could create an xss by feeding
"\x7UNIQfa+QINU\x7f" to charinsert, which will split on + sign,
and create output like
<a onclick="mw.toolbar.insertTags(&#039\x7FUNIQa&#039;,&#039;bQIN\X7f...
It just seems safer to not allow any of the special characters in
strip marker names - especially because there is no need to ever
use them, and to my knowledge there is no example of anyone ever
actually using such a special character in the marker name.
and not recognize either part as a strip marker.

Change-Id: I798d31aff4e48b4c6da886530c15867226c953d2
---

diff --git a/includes/parser/StripState.php b/includes/parser/StripState.php
index c168aa69fa..4ed176ce28 100644
--- a/includes/parser/StripState.php
+++ b/includes/parser/StripState.php
@@ -50,7 +50,7 @@ class StripState {
 			'nowiki' => [],
 			'general' => []
 		];
-		$this->regex = '/' . Parser::MARKER_PREFIX . "([^\x7f]+)" . Parser::MARKER_SUFFIX . '/';
+		$this->regex = '/' . Parser::MARKER_PREFIX . "([^\x7f<>&'\"]+)" . Parser::MARKER_SUFFIX . '/';
 		$this->circularRefGuard = [];
 	}