From 6fffd484113ba86a14056c2fe18d0ab4a3307813 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 5 Jan 2015 16:31:26 -0500
Subject: [PATCH] SECURITY: Don't execute another user's CSS or JS on preview

Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.

Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
---
 includes/OutputPage.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index f8d5ab7..ac771d2 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3275,6 +3275,10 @@ class OutputPage extends ContextSource {
 		if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
 			return false;
 		}
+		if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+			// Don't execute another user's CSS or JS on preview (T85855)
+			return false;
+		}
 
 		return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
 	}
-- 
2.1.4