From 069dd04759a176dc00a0cc71c7e4d0753ef14abb Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 5 Jan 2015 16:31:26 -0500
Subject: [PATCH] SECURITY: Don't execute another user's CSS or JS on preview

Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.

Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a
---
 includes/EditPage.php   | 26 ++++++++++++++------------
 includes/OutputPage.php |  4 ++++
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/includes/EditPage.php b/includes/EditPage.php
index 4370295..4706e8e 100644
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -2734,19 +2734,21 @@ class EditPage {
 						array( 'userinvalidcssjstitle', $this->mTitle->getSkinFromCssJsSubpage() )
 					);
 				}
-				if ( $this->formtype !== 'preview' ) {
-					if ( $this->isCssSubpage && $wgAllowUserCss ) {
-						$wgOut->wrapWikiMsg(
-							"<div id='mw-usercssyoucanpreview'>\n$1\n</div>",
-							array( 'usercssyoucanpreview' )
-						);
-					}
+				if ( $this->getTitle()->isSubpageOf( $wgUser->getUserPage() ) ) {
+					if ( $this->formtype !== 'preview' ) {
+						if ( $this->isCssSubpage && $wgAllowUserCss ) {
+							$wgOut->wrapWikiMsg(
+								"<div id='mw-usercssyoucanpreview'>\n$1\n</div>",
+								array( 'usercssyoucanpreview' )
+							);
+						}
 
-					if ( $this->isJsSubpage && $wgAllowUserJs ) {
-						$wgOut->wrapWikiMsg(
-							"<div id='mw-userjsyoucanpreview'>\n$1\n</div>",
-							array( 'userjsyoucanpreview' )
-						);
+						if ( $this->isJsSubpage && $wgAllowUserJs ) {
+							$wgOut->wrapWikiMsg(
+								"<div id='mw-userjsyoucanpreview'>\n$1\n</div>",
+								array( 'userjsyoucanpreview' )
+							);
+						}
 					}
 				}
 			}
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index f8d5ab7..ac771d2 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3275,6 +3275,10 @@ class OutputPage extends ContextSource {
 		if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
 			return false;
 		}
+		if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+			// Don't execute another user's CSS or JS on preview (T85855)
+			return false;
+		}
 
 		return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
 	}
-- 
2.1.4