From: csteipp Date: Tue, 18 Nov 2014 21:43:05 +0000 (-0800) Subject: Make calling wfMangleFlashPolicy configurable X-Git-Tag: 1.31.0-rc.0~13241^2 X-Git-Url: http://git.cyclocoop.org/%7B%24admin_url%7Dcompta/comptes/journal.php?a=commitdiff_plain;h=92f22cd466e2e20bf0ba6947abaa256b922c193d;p=lhc%2Fweb%2Fwiklou.git Make calling wfMangleFlashPolicy configurable Add $wgMangleFlashPolicy so sites that define a safe master flash policy can disable mangling of the string. Bug: 66776 Change-Id: Ic0db939aae9d0bb6bdfc3cd9ce282661bad46783 --- diff --git a/RELEASE-NOTES-1.25 b/RELEASE-NOTES-1.25 index 3531cac1a6..ae1c23ef18 100644 --- a/RELEASE-NOTES-1.25 +++ b/RELEASE-NOTES-1.25 @@ -21,6 +21,8 @@ production. RequestContext specifically. * Profiling was restructured and $wgProfiler now requires an 'output' parameter. See StartProfiler.sample for details. +* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that + might be a flash policy directive configurable. === New features in 1.25 === * (bug 62861) Updated plural rules to CLDR 26. Includes incompatible changes diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index e822655f87..d4efc60beb 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3194,6 +3194,14 @@ $wgShowRollbackEditCount = 10; */ $wgEnableCanonicalServerLink = false; +/** + * When OutputHandler is used, mangle any output that contains + * . Without this, an attacker can send their own + * cross-domain policy unless it is prevented by the crossdomain.xml file at + * the domain root. + */ +$wgMangleFlashPolicy = true; + /** @} */ # End of output format settings } /*************************************************************************//** diff --git a/includes/OutputHandler.php b/includes/OutputHandler.php index b3b3b889a7..b0bbcddbd3 100644 --- a/includes/OutputHandler.php +++ b/includes/OutputHandler.php @@ -28,8 +28,10 @@ * @return string */ function wfOutputHandler( $s ) { - global $wgDisableOutputCompression, $wgValidateAllHtml; - $s = wfMangleFlashPolicy( $s ); + global $wgDisableOutputCompression, $wgValidateAllHtml, $wgMangleFlashPolicy; + if ( $wgMangleFlashPolicy ) { + $s = wfMangleFlashPolicy( $s ); + } if ( $wgValidateAllHtml ) { $headers = headers_list(); $isHTML = false;