Paladox has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/333345 )
Change subject: SECURITY: Disallow user CSS/JS when centralauthtoken is in use ...................................................................... SECURITY: Disallow user CSS/JS when centralauthtoken is in use This prevents an attacker from putting something bad in their User:Me/apioutput.js or User:Me/apioutput.css and then using centralauthtoken to cause it to be loaded for some other user. Bug: T144573 Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7 (cherry picked from commit ff8906162f583da889b04c323730d3c0aef6e2d7) --- M includes/session/CentralAuthTokenSessionProvider.php 1 file changed, 18 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/CentralAuth refs/changes/45/333345/1 diff --git a/includes/session/CentralAuthTokenSessionProvider.php b/includes/session/CentralAuthTokenSessionProvider.php index 161b3de..7662ffe 100644 --- a/includes/session/CentralAuthTokenSessionProvider.php +++ b/includes/session/CentralAuthTokenSessionProvider.php @@ -21,6 +21,7 @@ parent::__construct(); $wgHooks['APIGetAllowedParams'][] = $this; + $wgHooks['BeforePageDisplay'][] = $this; } /** @@ -216,4 +217,21 @@ return true; } + /** + * Prevent user scripts and styles when centralauthtoken is in use + * @param OutputPage $out + * @return bool + */ + public function onBeforePageDisplay( $out ) { + if ( $out->getRequest()->getSession()->getProvider() instanceof CentralAuthTokenSessionProvider ) { + $out->reduceAllowedModules( + ResourceLoaderModule::TYPE_SCRIPTS, ResourceLoaderModule::ORIGIN_USER_SITEWIDE + ); + $out->reduceAllowedModules( + ResourceLoaderModule::TYPE_STYLES, ResourceLoaderModule::ORIGIN_USER_SITEWIDE + ); + } + return true; + } + } -- To view, visit https://gerrit.wikimedia.org/r/333345 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/CentralAuth Gerrit-Branch: REL1_27 Gerrit-Owner: Paladox <thomasmulhall...@yahoo.com> Gerrit-Reviewer: Anomie <bjor...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits