From 92f22cd466e2e20bf0ba6947abaa256b922c193d Mon Sep 17 00:00:00 2001 From: csteipp Date: Tue, 18 Nov 2014 13:43:05 -0800 Subject: [PATCH] Make calling wfMangleFlashPolicy configurable Add $wgMangleFlashPolicy so sites that define a safe master flash policy can disable mangling of the string. Bug: 66776 Change-Id: Ic0db939aae9d0bb6bdfc3cd9ce282661bad46783 --- RELEASE-NOTES-1.25 | 2 ++ includes/DefaultSettings.php | 8 ++++++++ includes/OutputHandler.php | 6 ++++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/RELEASE-NOTES-1.25 b/RELEASE-NOTES-1.25 index 3531cac1a6..ae1c23ef18 100644 --- a/RELEASE-NOTES-1.25 +++ b/RELEASE-NOTES-1.25 @@ -21,6 +21,8 @@ production. RequestContext specifically. * Profiling was restructured and $wgProfiler now requires an 'output' parameter. See StartProfiler.sample for details. +* $wgMangleFlashPolicy was added to make MediaWiki's mangling of anything that + might be a flash policy directive configurable. === New features in 1.25 === * (bug 62861) Updated plural rules to CLDR 26. Includes incompatible changes diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index e822655f87..d4efc60beb 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -3194,6 +3194,14 @@ $wgShowRollbackEditCount = 10; */ $wgEnableCanonicalServerLink = false; +/** + * When OutputHandler is used, mangle any output that contains + * . Without this, an attacker can send their own + * cross-domain policy unless it is prevented by the crossdomain.xml file at + * the domain root. + */ +$wgMangleFlashPolicy = true; + /** @} */ # End of output format settings } /*************************************************************************//** diff --git a/includes/OutputHandler.php b/includes/OutputHandler.php index b3b3b889a7..b0bbcddbd3 100644 --- a/includes/OutputHandler.php +++ b/includes/OutputHandler.php @@ -28,8 +28,10 @@ * @return string */ function wfOutputHandler( $s ) { - global $wgDisableOutputCompression, $wgValidateAllHtml; - $s = wfMangleFlashPolicy( $s ); + global $wgDisableOutputCompression, $wgValidateAllHtml, $wgMangleFlashPolicy; + if ( $wgMangleFlashPolicy ) { + $s = wfMangleFlashPolicy( $s ); + } if ( $wgValidateAllHtml ) { $headers = headers_list(); $isHTML = false; -- 2.20.1