From d86591c6076aca3b5e78fdc3d557f9bca255e435 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Thu, 10 Jul 2014 12:16:29 -0700
Subject: [PATCH] SECURITY: Copy prevent-clickjacking between OutputPage and
 ParserOutput

Special page transclusion returns an OutputPage, whose metadata is
copied into the ParserOutput, and then later back into an OutputPage.
The "preventClickjacking" flag should be part of that metadata.

Bug: 65778
Change-Id: I17d2720fb94bb383a92059e5adbf6c16ee3e9ef4
---
 includes/OutputPage.php          | 12 ++++++++++++
 includes/parser/ParserOutput.php | 13 +++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 7f0454f..6bfba78 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -1574,6 +1574,8 @@ class OutputPage extends ContextSource {
 		$this->addModuleScripts( $parserOutput->getModuleScripts() );
 		$this->addModuleStyles( $parserOutput->getModuleStyles() );
 		$this->addModuleMessages( $parserOutput->getModuleMessages() );
+		$this->mPreventClickjacking = $this->mPreventClickjacking
+			|| $parserOutput->preventClickjacking();
 
 		// Template versioning...
 		foreach ( (array)$parserOutput->getTemplateIds() as $ns => $dbks ) {
@@ -1874,6 +1876,16 @@ class OutputPage extends ContextSource {
 	}
 
 	/**
+	 * Get the prevent-clickjacking flag
+	 *
+	 * @since 1.24
+	 * @return boolean
+	 */
+	public function getPreventClickjacking() {
+		return $this->mPreventClickjacking;
+	}
+
+	/**
 	 * Get the X-Frame-Options header value (without the name part), or false
 	 * if there isn't one. This is used by Skin to determine whether to enable
 	 * JavaScript frame-breaking, for clients that don't support X-Frame-Options.
diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index 502f0fd..460f321 100644
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -55,6 +55,7 @@ class ParserOutput extends CacheTime {
 		private $mExtensionData = array(); # extra data used by extensions
 		private $mLimitReportData = array(); # Parser limit report data
 		private $mParseStartTime = array(); # Timestamps for getTimeSinceStart()
+		private $mPreventClickjacking = false; # Whether to emit X-Frame-Options: DENY
 
 	const EDITSECTION_REGEX = '#<(?:mw:)?editsection page="(.*?)" section="(.*?)"(?:/>|>(.*?)(</(?:mw:)?editsection>))#';
 
@@ -330,6 +331,7 @@ class ParserOutput extends CacheTime {
 		$this->addModuleMessages( $out->getModuleMessages() );
 
 		$this->mHeadItems = array_merge( $this->mHeadItems, $out->getHeadItemsArray() );
+		$this->mPreventClickjacking = $this->mPreventClickjacking || $out->getPreventClickjacking();
 	}
 
 	/**
@@ -629,4 +631,15 @@ class ParserOutput extends CacheTime {
 	function setLimitReportData( $key, $value ) {
 		$this->mLimitReportData[$key] = $value;
 	}
+
+	/**
+	 * Get or set the prevent-clickjacking flag
+	 *
+	 * @since 1.24
+	 * @param boolean|null $flag New flag value, or null to leave it unchanged
+	 * @return boolean Old flag value
+	 */
+	public function preventClickjacking( $flag = null ) {
+		return wfSetVar( $this->mPreventClickjacking, $flag );
+	}
 }
-- 
1.9.2.msysgit.0