From dd6c6d0148253e9b8e2a9501e1af4872ae386047 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 6 Feb 2017 05:46:13 +0000
Subject: [PATCH] SECURITY: [XSS] Ensure portal url parameter is a valid title.

TitleValue is not supposed to be used on untrusted input. This
could lead to XSS on raw html wikis via a url like:
?portal=ns:0}}<html><script>alert(1)</script></html>

Bug: T155277
---
 includes/PortalSpecialPage.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/includes/PortalSpecialPage.php b/includes/PortalSpecialPage.php
index 3e2f9d1..b68c30d 100644
--- a/includes/PortalSpecialPage.php
+++ b/includes/PortalSpecialPage.php
@@ -93,10 +93,13 @@ class PortalSpecialPage extends UnlistedSpecialPage {
 							throw new MWException( 'bad function name #2 in portal parameter' );
 						}
 					}
-					$tv = new TitleValue( NS_MODULE, $portal );
-					$info = "Module:{$tv->getText()}|$func" . ( $func2 ? "|$func2" : '' );
+					$title = Title::makeTitleSafe( NS_MODULE, $portal );
+					if ( !$title ) {
+						throw new MWException( "Invalid portal module specified - $portal" );
+					}
+					$info = "Module:{$title->getText()}|$func" . ( $func2 ? "|$func2" : '' );
 					$out->setHTMLTitle( $info );
-					$module = $tv->getDBkey();
+					$module = $title->getDBkey();
 				}
 				// Zero administrators can use 'portal' parameter to see what another user would see
 				$impersonate = $req->getVal( 'impersonate' );
-- 
1.9.5 (Apple Git-50.3)