From 5e022b1869946bfd7f3da4a2e235fc671b264096 Mon Sep 17 00:00:00 2001 From: csteipp Date: Fri, 27 Mar 2015 14:57:28 -0700 Subject: [PATCH] SECURITY: Don't execute another user's CSS or JS on preview Someone could theoretically try to hide malicious code in their user common.js and then trick an admin into previewing it by asking for help. Bug: T85855 Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a --- includes/EditPage.php | 15 ++++++++++----- includes/OutputPage.php | 4 ++++ 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/includes/EditPage.php b/includes/EditPage.php index d00d911..07a5a07 100644 --- a/includes/EditPage.php +++ b/includes/EditPage.php @@ -1988,11 +1988,16 @@ class EditPage { if ( $this->isWrongCaseCssJsPage ) { $wgOut->wrapWikiMsg( "
\n$1\n
", array( 'userinvalidcssjstitle', $this->mTitle->getSkinFromCssJsSubpage() ) ); } - if ( $this->formtype !== 'preview' ) { - if ( $this->isCssSubpage ) - $wgOut->wrapWikiMsg( "
\n$1\n
", array( 'usercssyoucanpreview' ) ); - if ( $this->isJsSubpage ) - $wgOut->wrapWikiMsg( "
\n$1\n
", array( 'userjsyoucanpreview' ) ); + if ( $this->getTitle()->isSubpageOf( $wgUser->getUserPage() ) ) { + if ( $this->formtype !== 'preview' ) { + if ( $this->isCssSubpage ) { + $wgOut->wrapWikiMsg( "
\n$1\n
", array( 'usercssyoucanpreview' ) ); + } + + if ( $this->isJsSubpage ) { + $wgOut->wrapWikiMsg( "
\n$1\n
", array( 'userjsyoucanpreview' ) ); + } + } } } } diff --git a/includes/OutputPage.php b/includes/OutputPage.php index e658c0e..20520bc 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -2975,6 +2975,10 @@ $templates if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) { return false; } + if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) { + // Don't execute another user's CSS or JS on preview (T85855) + return false; + } return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) ); } -- 1.8.4.5