From ee14af46727f066076c9e7885917fbded3a4960e Mon Sep 17 00:00:00 2001 From: Brion Vibber Date: Mon, 29 Aug 2005 23:34:37 +0000 Subject: [PATCH] * Security fix for * Security fix for tables --- RELEASE-NOTES | 3 +++ includes/Article.php | 2 ++ includes/Parser.php | 30 ++++++++++++++++++---------- maintenance/parserTests.inc | 1 + maintenance/parserTests.txt | 39 +++++++++++++++++++++++++++++++++++++ 5 files changed, 65 insertions(+), 10 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index b966582300..4e70c2136a 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -72,6 +72,9 @@ fully support the editing toolbar, but was found to be too confusing. * Fix interlanguage links on special pages when extra namespaces configured * IP privacy fix for blocklist search on autoblocks * Support for a license selection box on Special:Upload, configurable from MediaWiki:Licenses +* Security fix for +* Security fix for tables + === Caveats === diff --git a/includes/Article.php b/includes/Article.php index 4540e94ca9..b8e38e1dd7 100644 --- a/includes/Article.php +++ b/includes/Article.php @@ -173,6 +173,7 @@ class Article { $striparray=array(); $parser=new Parser(); $parser->mOutputType=OT_WIKI; + $parser->mOptions = new ParserOptions(); $striptext=$parser->strip($text, $striparray, true); # now that we can be sure that no pseudo-sections are in the source, @@ -1138,6 +1139,7 @@ class Article { $striparray=array(); $parser=new Parser(); $parser->mOutputType=OT_WIKI; + $parser->mOptions = new ParserOptions(); $oldtext=$parser->strip($oldtext, $striparray, true); # now that we can be sure that no pseudo-sections are in the source, diff --git a/includes/Parser.php b/includes/Parser.php index 3bc48ff1f4..9a1ae42750 100644 --- a/includes/Parser.php +++ b/includes/Parser.php @@ -377,16 +377,14 @@ class Parser } # math - $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix); - foreach( $math_content as $marker => $content ){ - if( $render ) { - if( $this->mOptions->getUseTeX() ) { + if( $this->mOptions->getUseTeX() ) { + $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix); + foreach( $math_content as $marker => $content ){ + if( $render ) { $math_content[$marker] = renderMath( $content ); } else { - $math_content[$marker] = '<math>'.$content.'<math>'; + $math_content[$marker] = ''.$content.''; } - } else { - $math_content[$marker] = ''.$content.''; } } @@ -658,8 +656,11 @@ class Parser $fc = substr ( $x , 0 , 1 ) ; if ( preg_match( '/^(:*)\{\|(.*)$/', $x, $matches ) ) { $indent_level = strlen( $matches[1] ); + + $attributes = $this->unstripForHTML( $matches[2] ); + $t[$k] = str_repeat( '
', $indent_level ) . - '' ; + '' ; array_push ( $td , false ) ; array_push ( $ltd , '' ) ; array_push ( $tr , false ) ; @@ -686,7 +687,8 @@ class Parser array_push ( $tr , false ) ; array_push ( $td , false ) ; array_push ( $ltd , '' ) ; - array_push ( $ltr , Sanitizer::fixTagAttributes ( $x, 'tr' ) ) ; + $attributes = $this->unstripForHTML( $x ); + array_push ( $ltr , Sanitizer::fixTagAttributes ( $attributes, 'tr' ) ) ; } else if ( '|' == $fc || '!' == $fc || '|+' == substr ( $x , 0 , 2 ) ) { # Caption # $x is a table row @@ -728,7 +730,10 @@ class Parser } if ( count ( $y ) == 1 ) $y = "{$z}<{$l}>{$y[0]}" ; - else $y = $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($y[0], $l).">{$y[1]}" ; + else { + $attributes = $this->unstripForHTML( $y[0] ); + $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($attributes, $l).">{$y[1]}" ; + } $t[$k] .= $y ; array_push ( $td , true ) ; } @@ -3307,6 +3312,11 @@ class Parser */ function attributeStripCallback( &$text, $args ) { $text = $this->replaceVariables( $text, $args ); + $text = $this->unstripForHTML( $text ); + return $text; + } + + function unstripForHTML( $text ) { $text = $this->unstrip( $text, $this->mStripState ); $text = $this->unstripNoWiki( $text, $this->mStripState ); return $text; diff --git a/maintenance/parserTests.inc b/maintenance/parserTests.inc index 3756de1ba4..f7b6ba06e9 100644 --- a/maintenance/parserTests.inc +++ b/maintenance/parserTests.inc @@ -303,6 +303,7 @@ class ParserTest { 'wgDefaultUserOptions' => array(), 'wgNoFollowLinks' => true, 'wgThumbnailScriptPath' => false, + 'wgUseTeX' => false, ); $this->savedGlobals = array(); foreach( $settings as $var => $val ) { diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt index f3342af9a0..75890ad8e3 100644 --- a/maintenance/parserTests.txt +++ b/maintenance/parserTests.txt @@ -2598,6 +2598,45 @@ Bug 3244: HTML attribute safety (extension; unsafe) !! end +!! test +Math section safety when disabled +!! input + +!! result +

<math><script>alert(document.cookies);</script></math> +

+!! end + + +!! test +Table attribute legitimate extension +!! input +{| +!+ style="color:blue"| status +|} +!! result + + +
status +
+ +!!end + +!! test +Table attribute safety +!! input +{| +!+ style="border-width:expression(0+alert(document.cookie))"| status +|} +!! result + + +
status +
+ +!! end + + TODO: more images more tables -- 2.20.1