[MediaWiki-commits] [Gerrit] mediawiki/core[master]: SECURITY: Always normalize link url before adding to ParserO...

Thu, 06 Apr 2017 14:29:17 -0700 

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/346846 )

Change subject: SECURITY: Always normalize link url before adding to 
ParserOutput
......................................................................


SECURITY: Always normalize link url before adding to ParserOutput

Move link normalization directly into addExternalLink() method,
since you always need to do it - having it separate is just
inviting people to forget to normalize a link.

Additionally, links weren't properly registered for <gallery>.
This was somewhat unnoticed, as the call to recursiveTagParse()
would register free links, but it wouldn't work for example with
protocol relative links.

Issue originally reported by MZMcBride.

Bug: T48143
Change-Id: I557fb3b433ef9d618097b6ba4eacc6bada250ca2
---
M RELEASE-NOTES-1.29
M includes/parser/Parser.php
M includes/parser/ParserOutput.php
3 files changed, 10 insertions(+), 7 deletions(-)

Approvals:
  Chad: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/RELEASE-NOTES-1.29 b/RELEASE-NOTES-1.29
index 8b099bd..b835eb5 100644
--- a/RELEASE-NOTES-1.29
+++ b/RELEASE-NOTES-1.29
@@ -101,6 +101,8 @@
   declaration.
 * (T161453) SECURITY: LocalisationCache will no longer use the temporary 
directory
   in it's fallback chain when trying to work out where to write the cache.
+* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file 
inclusion
+  syntax's link parameter.
 
 === Action API changes in 1.29 ===
 * Submitting sensitive authentication request parameters to action=login,
diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index be4557d..953f021 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -1610,9 +1610,7 @@
                                true, 'free',
                                $this->getExternalLinkAttribs( $url ), 
$this->mTitle );
                        # Register it in the output object...
-                       # Replace unnecessary URL escape codes with their 
equivalent characters
-                       $pasteurized = self::normalizeLinkUrl( $url );
-                       $this->mOutput->addExternalLink( $pasteurized );
+                       $this->mOutput->addExternalLink( $url );
                }
                return $text . $trail;
        }
@@ -1908,10 +1906,7 @@
                                $this->getExternalLinkAttribs( $url ), 
$this->mTitle ) . $dtrail . $trail;
 
                        # Register link in the output object.
-                       # Replace unnecessary URL escape codes with the 
referenced character
-                       # This prevents spammers from hiding links from the 
filters
-                       $pasteurized = self::normalizeLinkUrl( $url );
-                       $this->mOutput->addExternalLink( $pasteurized );
+                       $this->mOutput->addExternalLink( $url );
                }
 
                return $s;
@@ -5086,9 +5081,11 @@
                                                        }
                                                        if ( preg_match( 
"/^($prots)$addr$chars*$/u", $linkValue ) ) {
                                                                $link = 
$linkValue;
+                                                               
$this->mOutput->addExternalLink( $link );
                                                        } else {
                                                                $localLinkTitle 
= Title::newFromText( $linkValue );
                                                                if ( 
$localLinkTitle !== null ) {
+                                                                       
$this->mOutput->addLink( $localLinkTitle );
                                                                        $link = 
$localLinkTitle->getLinkURL();
                                                                }
                                                        }
diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index b2f99b3..7de3b30 100644
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -535,6 +535,10 @@
                # We don't register links pointing to our own server, unless... 
:-)
                global $wgServer, $wgRegisterInternalExternals;
 
+               # Replace unnecessary URL escape codes with the referenced 
character
+               # This prevents spammers from hiding links from the filters
+               $url = parser::normalizeLinkUrl( $url );
+
                $registerExternalLink = true;
                if ( !$wgRegisterInternalExternals ) {
                        $registerExternalLink = !self::isLinkInternal( 
$wgServer, $url );

-- 
To view, visit https://gerrit.wikimedia.org/r/346846
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I557fb3b433ef9d618097b6ba4eacc6bada250ca2
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: C. Scott Ananian <canan...@wikimedia.org>
Gerrit-Reviewer: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Jackmcbarn <jackmcb...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to