From 410d33d36e9a4fe28f54aa4347310c52762b6e5e Mon Sep 17 00:00:00 2001
From: =?utf8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Fri, 27 Jun 2014 00:15:03 +0000
Subject: [PATCH] Fix for XSS issue in bug 66608

Generate the URL used for loading a new page in Javascript,
instead of relying on the URL in the link that has been clicked
(as that could have been crafted by an attacker).

Bug: 66608
Change-Id: I19e2bf3af017a37c35cbadce9a70194aac693f33
---
 includes/page/ImagePage.php                           |  2 ++
 resources/Resources.php                               |  6 +++++-
 .../mediawiki.page/mediawiki.page.image.pagination.js | 11 ++++++++++-
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/includes/page/ImagePage.php b/includes/page/ImagePage.php
index e50592ce63..380252f58a 100644
--- a/includes/page/ImagePage.php
+++ b/includes/page/ImagePage.php
@@ -430,6 +430,8 @@ class ImagePage extends Article {
 
 					if ( $page > 1 ) {
 						$label = $out->parse( wfMessage( 'imgmultipageprev' )->text(), false );
+						// on the client side, this link is generated in ajaxifyPageNavigation()
+						// in the mediawiki.page.image.pagination module
 						$link = Linker::linkKnown(
 							$this->getTitle(),
 							$label,
diff --git a/resources/Resources.php b/resources/Resources.php
index 05a03dc625..53d0c310c0 100644
--- a/resources/Resources.php
+++ b/resources/Resources.php
@@ -1179,7 +1179,11 @@ return array(
 	),
 	'mediawiki.page.image.pagination' => array(
 		'scripts' => 'resources/src/mediawiki.page/mediawiki.page.image.pagination.js',
-		'dependencies' => array( 'jquery.spinner' )
+		'dependencies' => array(
+			'mediawiki.Uri',
+			'mediawiki.util',
+			'jquery.spinner',
+		),
 	),
 
 	/* MediaWiki Special pages */
diff --git a/resources/src/mediawiki.page/mediawiki.page.image.pagination.js b/resources/src/mediawiki.page/mediawiki.page.image.pagination.js
index 931e312d34..622e818dc8 100644
--- a/resources/src/mediawiki.page/mediawiki.page.image.pagination.js
+++ b/resources/src/mediawiki.page/mediawiki.page.image.pagination.js
@@ -57,7 +57,16 @@
 
 	function bindPageNavigation( $container ) {
 		$container.find( '.multipageimagenavbox' ).one( 'click', 'a', function ( e ) {
-			loadPage( this.href );
+			var page, uri;
+
+			// Generate the same URL on client side as the one generated in ImagePage::openShowImage.
+			// We avoid using the URL in the link directly since it could have been manipulated (bug 66608)
+			page = Number( mw.util.getParamValue( 'page', this.href ) );
+			uri = new mw.Uri( mw.util.wikiScript() )
+				.extend( { title: mw.config.get( 'wgPageName' ), page: page } )
+				.toString();
+
+			loadPage( uri );
 			e.preventDefault();
 		} );
 
-- 
2.20.1