From e6848adfd6f1949ffe821eae3d473c34b92e9dc7 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 2 Sep 2016 09:57:12 -0400
Subject: [PATCH] SECURITY: Disallow user CSS/JS when centralauthtoken is in
 use

This prevents an attacker from putting something bad in their
User:Me/apioutput.js or User:Me/apioutput.css and then using
centralauthtoken to cause it to be loaded for some other user.

Bug: T144573
Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7
---
 includes/session/CentralAuthTokenSessionProvider.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/includes/session/CentralAuthTokenSessionProvider.php b/includes/session/CentralAuthTokenSessionProvider.php
index 161b3de..7662ffe 100644
--- a/includes/session/CentralAuthTokenSessionProvider.php
+++ b/includes/session/CentralAuthTokenSessionProvider.php
@@ -21,6 +21,7 @@ class CentralAuthTokenSessionProvider extends \MediaWiki\Session\SessionProvider
 		parent::__construct();
 
 		$wgHooks['APIGetAllowedParams'][] = $this;
+		$wgHooks['BeforePageDisplay'][] = $this;
 	}
 
 	/**
@@ -216,4 +217,21 @@ class CentralAuthTokenSessionProvider extends \MediaWiki\Session\SessionProvider
 		return true;
 	}
 
+	/**
+	 * Prevent user scripts and styles when centralauthtoken is in use
+	 * @param OutputPage $out
+	 * @return bool
+	 */
+	public function onBeforePageDisplay( $out ) {
+		if ( $out->getRequest()->getSession()->getProvider() instanceof CentralAuthTokenSessionProvider ) {
+			$out->reduceAllowedModules(
+				ResourceLoaderModule::TYPE_SCRIPTS, ResourceLoaderModule::ORIGIN_USER_SITEWIDE
+			);
+			$out->reduceAllowedModules(
+				ResourceLoaderModule::TYPE_STYLES, ResourceLoaderModule::ORIGIN_USER_SITEWIDE
+			);
+		}
+		return true;
+	}
+
 }
-- 
2.9.3