From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 5 Jan 2015 21:31:26 +0000 (-0500)
Subject: SECURITY: Don't execute another user's CSS or JS on preview
X-Git-Tag: 1.31.0-rc.0~11899^2
X-Git-Url: http://git.cyclocoop.org/%27%2C%20%20%20quote_amp%28%24url%29%2C%20%20%20%27?a=commitdiff_plain;h=ff95a95437fd4ba2272e06a959e5f9ab9c2b636d;p=lhc%2Fweb%2Fwiklou.git

SECURITY: Don't execute another user's CSS or JS on preview

Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.

Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
---

diff --git a/includes/EditPage.php b/includes/EditPage.php
index a5994e781e..e11342603b 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -2670,19 +2670,21 @@ class EditPage {
 						array( 'userinvalidcssjstitle', $this->mTitle->getSkinFromCssJsSubpage() )
 					);
 				}
-				if ( $this->formtype !== 'preview' ) {
-					if ( $this->isCssSubpage && $wgAllowUserCss ) {
-						$wgOut->wrapWikiMsg(
-							"<div id='mw-usercssyoucanpreview'>\n$1\n</div>",
-							array( 'usercssyoucanpreview' )
-						);
-					}
+				if ( $this->getTitle()->isSubpageOf( $wgUser->getUserPage() ) ) {
+					if ( $this->formtype !== 'preview' ) {
+						if ( $this->isCssSubpage && $wgAllowUserCss ) {
+							$wgOut->wrapWikiMsg(
+								"<div id='mw-usercssyoucanpreview'>\n$1\n</div>",
+								array( 'usercssyoucanpreview' )
+							);
+						}
 
-					if ( $this->isJsSubpage && $wgAllowUserJs ) {
-						$wgOut->wrapWikiMsg(
-							"<div id='mw-userjsyoucanpreview'>\n$1\n</div>",
-							array( 'userjsyoucanpreview' )
-						);
+						if ( $this->isJsSubpage && $wgAllowUserJs ) {
+							$wgOut->wrapWikiMsg(
+								"<div id='mw-userjsyoucanpreview'>\n$1\n</div>",
+								array( 'userjsyoucanpreview' )
+							);
+						}
 					}
 				}
 			}
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index edeae0d139..73d0cbafe5 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3288,6 +3288,10 @@ class OutputPage extends ContextSource {
 		if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
 			return false;
 		}
+		if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+			// Don't execute another user's CSS or JS on preview (T85855)
+			return false;
+		}
 
 		return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
 	}