From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 18 Jan 2016 17:00:41 +0000 (-0500)
Subject: SECURITY: Improve cross-domain-policy mangling
X-Git-Tag: 1.31.0-rc.0~6885
X-Git-Url: http://git.cyclocoop.org/%7B%7B%20url_for%28%27admin_vote_del%27%2C%20idvote=vote.voteid%29%20%7D%7D?a=commitdiff_plain;h=f459c1aecae38adfdb335b7704f7d97d1f42310d;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Improve cross-domain-policy mangling

Take into account that the tag might have parameters.

Bug: T123653
Change-Id: Ie9799f5ea45badfb4e7b4be7e7fbc1c35cc86f26

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>
---

diff --git a/includes/OutputHandler.php b/includes/OutputHandler.php
index c9c326b150..2f47006272 100644
--- a/includes/OutputHandler.php
+++ b/includes/OutputHandler.php
@@ -154,8 +154,8 @@ function wfGzipHandler( $s ) {
  */
 function wfMangleFlashPolicy( $s ) {
 	# Avoid weird excessive memory usage in PCRE on big articles
-	if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $s ) ) {
-		return preg_replace( '/\<\s*cross-domain-policy\s*\>/i', '<NOT-cross-domain-policy>', $s );
+	if ( preg_match( '/\<\s*cross-domain-policy(?=\s|\>)/i', $s ) ) {
+		return preg_replace( '/\<(\s*)(cross-domain-policy(?=\s|\>))/i', '<$1NOT-$2', $s );
 	} else {
 		return $s;
 	}
diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index 41de9253f6..814450ecb9 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -103,9 +103,9 @@ class ApiFormatJson extends ApiFormatBase {
 		// Bug 66776: wfMangleFlashPolicy() is needed to avoid a nasty bug in
 		// Flash, but what it does isn't friendly for the API, so we need to
 		// work around it.
-		if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) {
+		if ( preg_match( '/\<\s*cross-domain-policy(?=\s|\>)/i', $json ) ) {
 			$json = preg_replace(
-				'/\<(\s*cross-domain-policy\s*)\>/i', '\\u003C$1\\u003E', $json
+				'/\<(\s*cross-domain-policy(?=\s|\>))/i', '\\u003C$1', $json
 			);
 		}
 
diff --git a/includes/api/ApiFormatPhp.php b/includes/api/ApiFormatPhp.php
index d111af5d33..fc25f47723 100644
--- a/includes/api/ApiFormatPhp.php
+++ b/includes/api/ApiFormatPhp.php
@@ -65,7 +65,7 @@ class ApiFormatPhp extends ApiFormatBase {
 		// just be broken in a useful manner.
 		if ( $this->getConfig()->get( 'MangleFlashPolicy' ) &&
 			in_array( 'wfOutputHandler', ob_list_handlers(), true ) &&
-			preg_match( '/\<\s*cross-domain-policy\s*\>/i', $text )
+			preg_match( '/\<\s*cross-domain-policy(?=\s|\>)/i', $text )
 		) {
 			$this->dieUsage(
 				'This response cannot be represented using format=php. ' .
diff --git a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
index 8437228ee1..7eb2a35ecf 100644
--- a/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
+++ b/tests/phpunit/includes/api/format/ApiFormatJsonTest.php
@@ -67,7 +67,7 @@ class ApiFormatJsonTest extends ApiFormatTestBase {
 				[ [ 1 ], '/**/myCallback([1])', [ 'callback' => 'myCallback' ] ],
 
 				// Cross-domain mangling
-				[ [ '< Cross-Domain-Policy >' ], '["\u003C Cross-Domain-Policy \u003E"]' ],
+				[ [ '< Cross-Domain-Policy >' ], '["\u003C Cross-Domain-Policy >"]' ],
 			] ),
 			self::addFormatVersion( 2, [
 				// Basic types
@@ -121,7 +121,7 @@ class ApiFormatJsonTest extends ApiFormatTestBase {
 				[ [ 1 ], '/**/myCallback([1])', [ 'callback' => 'myCallback' ] ],
 
 				// Cross-domain mangling
-				[ [ '< Cross-Domain-Policy >' ], '["\u003C Cross-Domain-Policy \u003E"]' ],
+				[ [ '< Cross-Domain-Policy >' ], '["\u003C Cross-Domain-Policy >"]' ],
 			] )
 		);
 	}