* Security fix for <math>

* Security fix for tables

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index b966582..4e70c21 100644 (file)
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -72,6 +72,9 @@ fully support the editing toolbar, but was found to be too confusing.
 * Fix interlanguage links on special pages when extra namespaces configured
 * IP privacy fix for blocklist search on autoblocks
 * Support for a license selection box on Special:Upload, configurable from MediaWiki:Licenses
+* Security fix for <math>
+* Security fix for tables
+
 
 === Caveats ===
 

diff --git a/includes/Article.php b/includes/Article.php
index 4540e94..b8e38e1 100644 (file)
--- a/includes/Article.php
+++ b/includes/Article.php
@@ -173,6 +173,7 @@ class Article {
                $striparray=array();
                $parser=new Parser();
                $parser->mOutputType=OT_WIKI;
+               $parser->mOptions = new ParserOptions();
                $striptext=$parser->strip($text, $striparray, true);
 
                # now that we can be sure that no pseudo-sections are in the source,
@@ -1138,6 +1139,7 @@ class Article {
                                $striparray=array();
                                $parser=new Parser();
                                $parser->mOutputType=OT_WIKI;
+                               $parser->mOptions = new ParserOptions();
                                $oldtext=$parser->strip($oldtext, $striparray, true);
 
                                # now that we can be sure that no pseudo-sections are in the source,

diff --git a/includes/Parser.php b/includes/Parser.php
index 3bc48ff..9a1ae42 100644 (file)
--- a/includes/Parser.php
+++ b/includes/Parser.php
@@ -377,16 +377,14 @@ class Parser
                }
 
                # math
-               $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix);
-               foreach( $math_content as $marker => $content ){
-                       if( $render ) {
-                               if( $this->mOptions->getUseTeX() ) {
+               if( $this->mOptions->getUseTeX() ) {
+                       $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix);
+                       foreach( $math_content as $marker => $content ){
+                               if( $render ) {
                                        $math_content[$marker] = renderMath( $content );
                                } else {
-                                       $math_content[$marker] = '<math>'.$content.'<math>';
+                                       $math_content[$marker] = '<math>'.$content.'</math>';
                                }
-                       } else {
-                               $math_content[$marker] = '<math>'.$content.'</math>';
                        }
                }
 
@@ -658,8 +656,11 @@ class Parser
                        $fc = substr ( $x , 0 , 1 ) ;
                        if ( preg_match( '/^(:*)\{\|(.*)$/', $x, $matches ) ) {
                                $indent_level = strlen( $matches[1] );
+                               
+                               $attributes = $this->unstripForHTML( $matches[2] );
+
                                $t[$k] = str_repeat( '<dl><dd>', $indent_level ) .
-                                       '<table' . Sanitizer::fixTagAttributes ( $matches[2], 'table' ) . '>' ;
+                                       '<table' . Sanitizer::fixTagAttributes ( $attributes, 'table' ) . '>' ;
                                array_push ( $td , false ) ;
                                array_push ( $ltd , '' ) ;
                                array_push ( $tr , false ) ;
@@ -686,7 +687,8 @@ class Parser
                                array_push ( $tr , false ) ;
                                array_push ( $td , false ) ;
                                array_push ( $ltd , '' ) ;
-                               array_push ( $ltr , Sanitizer::fixTagAttributes ( $x, 'tr' ) ) ;
+                               $attributes = $this->unstripForHTML( $x );
+                               array_push ( $ltr , Sanitizer::fixTagAttributes ( $attributes, 'tr' ) ) ;
                        }
                        else if ( '|' == $fc || '!' == $fc || '|+' == substr ( $x , 0 , 2 ) ) { # Caption
                                # $x is a table row
@@ -728,7 +730,10 @@ class Parser
                                        }
                                        if ( count ( $y ) == 1 )
                                                $y = "{$z}<{$l}>{$y[0]}" ;
-                                       else $y = $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($y[0], $l).">{$y[1]}" ;
+                                       else {
+                                               $attributes = $this->unstripForHTML( $y[0] );
+                                               $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($attributes, $l).">{$y[1]}" ;
+                                       }
                                        $t[$k] .= $y ;
                                        array_push ( $td , true ) ;
                                }
@@ -3307,6 +3312,11 @@ class Parser
         */
        function attributeStripCallback( &$text, $args ) {
                $text = $this->replaceVariables( $text, $args );
+               $text = $this->unstripForHTML( $text );
+               return $text;
+       }
+       
+       function unstripForHTML( $text ) {
                $text = $this->unstrip( $text, $this->mStripState );
                $text = $this->unstripNoWiki( $text, $this->mStripState );
                return $text;

diff --git a/maintenance/parserTests.inc b/maintenance/parserTests.inc
index 3756de1..f7b6ba0 100644 (file)
--- a/maintenance/parserTests.inc
+++ b/maintenance/parserTests.inc
@@ -303,6 +303,7 @@ class ParserTest {
                        'wgDefaultUserOptions' => array(),
                        'wgNoFollowLinks' => true,
                        'wgThumbnailScriptPath' => false,
+                       'wgUseTeX' => false,
                        );
                $this->savedGlobals = array();
                foreach( $settings as $var => $val ) {

diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index f3342af..75890ad 100644 (file)
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -2598,6 +2598,45 @@ Bug 3244: HTML attribute safety (extension; unsafe)
 !! end
 
 
+!! test
+Math section safety when disabled
+!! input
+<math><script>alert(document.cookies);</script></math>
+!! result
+<p>&lt;math&gt;&lt;script&gt;alert(document.cookies);&lt;/script&gt;&lt;/math&gt;
+</p>
+!! end
+
+
+!! test
+Table attribute legitimate extension
+!! input
+{|
+!+ style="<nowiki>color:blue</nowiki>"| status
+|}
+!! result
+<table>
+<tr>
+<th style="color:blue"> status
+</th></tr></table>
+
+!!end
+
+!! test
+Table attribute safety
+!! input
+{|
+!+ style="<nowiki>border-width:expression(0+alert(document.cookie))</nowiki>"| status
+|}
+!! result
+<table>
+<tr>
+<th> status
+</th></tr></table>
+
+!! end
+
+
 TODO:
 more images
 more tables