Mglaser has uploaded a new change for review.
https://gerrit.wikimedia.org/r/176166
Change subject: SECURITY: Add edit token to Special:ExpandTemplates
......................................................................
SECURITY: Add edit token to Special:ExpandTemplates
On wikis that allow raw HTML, it is not safe to preview wikitext coming from
an untrusted source such as a cross-site request. Thus add an edit token to
the form, and when raw HTML is allowed, ensure the token is provided before
showing the preview.
Unfortunately, MediaWiki does not currently provide logged-out users with
CSRF protection; in that case, do not show the preview unless anonymous
editing is allowed (such wikis have been, and are still, vulnerable).
Change-Id: I2f1caa57e8fc705ef52fc4b6f351a174b72b33cb
---
M includes/specials/SpecialExpandTemplates.php
M languages/i18n/en.json
M languages/i18n/qqq.json
3 files changed, 34 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/66/176166/1
diff --git a/includes/specials/SpecialExpandTemplates.php
b/includes/specials/SpecialExpandTemplates.php
index 61925cf..9d428c8 100644
--- a/includes/specials/SpecialExpandTemplates.php
+++ b/includes/specials/SpecialExpandTemplates.php
@@ -137,6 +137,9 @@
*/
private function makeForm( $title, $input ) {
$self = $this->getPageTitle();
+ $request = $this->getRequest();
+ $user = $this->getUser();
+
$form = Xml::openElement(
'form',
array( 'method' => 'post', 'action' =>
$self->getLocalUrl() )
@@ -192,6 +195,7 @@
array( 'accesskey' => 's' )
) . '</p>';
$form .= "</fieldset>\n";
+ $form .= Html::hidden( 'wpEditToken', $user->getEditToken( '',
$request ) );
$form .= Xml::closeElement( 'form' );
return $form;
@@ -244,6 +248,30 @@
private function showHtmlPreview( Title $title, $html, OutputPage $out
) {
$lang = $title->getPageViewLanguage();
$out->addHTML( "<h2>" . $this->msg( 'expand_templates_preview'
)->escaped() . "</h2>\n" );
+
+ global $wgRawHtml;
+ if ( $wgRawHtml ) {
+ $request = $this->getRequest();
+ $user = $this->getUser();
+
+ // To prevent cross-site scripting attacks, don't show
the preview if raw HTML is
+ // allowed and a valid edit token is not provided (bug
71111). However, MediaWiki
+ // does not currently provide logged-out users with
CSRF protection; in that case,
+ // do not show the preview unless anonymous editing is
allowed.
+ if ( $user->isAnon() && !$user->isAllowed( 'edit' ) ) {
+ $error = array(
'expand_templates_preview_fail_html_anon' );
+ } elseif ( !$user->matchEditToken( $request->getVal(
'wpEditToken' ), '', $request ) ) {
+ $error = array(
'expand_templates_preview_fail_html' );
+ } else {
+ $error = false;
+ }
+
+ if ( $error ) {
+ $out->wrapWikiMsg( "<div
class='previewnote'>\n$1\n</div>", $error );
+ return;
+ }
+ }
+
$out->addHTML( Html::openElement( 'div', array(
'class' => 'mw-content-' . $lang->getDir(),
'dir' => $lang->getDir(),
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
index 68fe913..51ea901 100644
--- a/languages/i18n/en.json
+++ b/languages/i18n/en.json
@@ -3531,5 +3531,7 @@
"expand_templates_remove_nowiki": "Suppress <nowiki> tags in result",
"expand_templates_generate_xml": "Show XML parse tree",
"expand_templates_generate_rawhtml": "Show raw HTML",
- "expand_templates_preview": "Preview"
+ "expand_templates_preview": "Preview",
+ "expand_templates_preview_fail_html": "<em>Because {{SITENAME}} has raw
HTML enabled and there was a loss of session data, the preview is hidden as a
precaution against JavaScript attacks.</em>\n\n<strong>If this is a legitimate
preview attempt, please try again.</strong>\nIf it still does not work, try
[[Special:UserLogout|logging out]] and logging back in.",
+ "expand_templates_preview_fail_html_anon": "<em>Because {{SITENAME}} has
raw HTML enabled and you are not logged in, the preview is hidden as a
precaution against JavaScript attacks.</em>\n\n<strong>If this is a legitimate
preview attempt, please [[Special:UserLogin|log in]] and try again.</strong>"
}
diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
index f69669b..e9bcd44 100644
--- a/languages/i18n/qqq.json
+++ b/languages/i18n/qqq.json
@@ -3694,5 +3694,7 @@
"expand_templates_remove_nowiki": "Option on
[[Special:Expandtemplates]]\n\nHere's what the tick box
does:\n\nFor:\n<pre>\n<nowiki>test</nowiki>\n</pre>\n\nNot
ticked:\n<pre>\n<nowiki>test</nowiki>\n</pre>\n\nTicked:\n<pre>\ntest\n</pre>",
"expand_templates_generate_xml": "Used as checkbox label.",
"expand_templates_generate_rawhtml": "Used as checkbox label.",
- "expand_templates_preview": "{{Identical|Preview}}"
+ "expand_templates_preview": "{{Identical|Preview}}",
+ "expand_templates_preview_fail_html": "Used as error message in Preview
section of [[Special:ExpandTemplates]] page.",
+ "expand_templates_preview_fail_html_anon": "Used as error message in
Preview section of [[Special:ExpandTemplates]] page."
}
--
To view, visit https://gerrit.wikimedia.org/r/176166
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2f1caa57e8fc705ef52fc4b6f351a174b72b33cb
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Mglaser <[email protected]>
Gerrit-Reviewer: PleaseStand <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
