[MediaWiki-commits] [Gerrit] Disable upload from URL on Special:ImportTranslations by def... - change (mediawiki...Translate)

Mon, 29 Apr 2013 03:26:27 -0700 

jenkins-bot has submitted this change and it was merged.

Change subject: Disable upload from URL on Special:ImportTranslations by default
......................................................................


Disable upload from URL on Special:ImportTranslations by default

In bug 40341, Chris Steipp identified unknown potential attack vectors in
allowing users to request arbitrary URLs via MediaWiki. This patch disables
the existing feature by adding global $wgTranslateAllowImportFromUrl. It can
be reenabled by setting $wgTranslateAllowImportFromUrl to true.

Bug: 40341
Change-Id: I01057787abcf9cbcf9796cac7750134858ebff7b
---
M Translate.php
M specials/SpecialImportTranslations.php
2 files changed, 26 insertions(+), 13 deletions(-)

Approvals:
  Nikerabbit: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/Translate.php b/Translate.php
index 7302f7f..fe63d5c 100644
--- a/Translate.php
+++ b/Translate.php
@@ -17,7 +17,7 @@
 /**
  * Version number used in extension credits and in other places where needed.
  */
-define( 'TRANSLATE_VERSION', '2013-04-16' );
+define( 'TRANSLATE_VERSION', '2013-04-29' );
 
 /**
  * Extension credits properties.
@@ -608,6 +608,13 @@
  */
 $wgTranslateUseTux = true;
 
+/**
+ * Whether to allow uploading gettext files through URLs on
+ * Special:ImportTranslations. Default is false.
+ * @since 2013-04-26
+ */
+$wgTranslateAllowImportFromUrl = false;
+
 # </source>
 
 /** @cond cli_support */
diff --git a/specials/SpecialImportTranslations.php 
b/specials/SpecialImportTranslations.php
index 0a70e79..028c58f 100644
--- a/specials/SpecialImportTranslations.php
+++ b/specials/SpecialImportTranslations.php
@@ -118,6 +118,8 @@
         * Constructs and outputs file input form with supported methods.
         */
        protected function outputForm() {
+               global $wgTranslateAllowImportFromUrl;
+
                $this->getOutput()->addModules( 
'ext.translate.special.importtranslations' );
                TranslateUtils::addSpecialHelpLink( $this->getOutput(), 
'Help:Extension:Translate/Off-line_translation' );
                /**
@@ -139,17 +141,19 @@
 
                $class = array( 'class' => 'mw-translate-import-inputs' );
 
-               $this->getOutput()->addHTML(
-                       Xml::radioLabel( $this->msg( 
'translate-import-from-url' )->text(),
-                               'upload-type', 'url', 'mw-translate-up-url',
-                               $this->getRequest()->getText( 'upload-type' ) 
=== 'url' ) .
-                               "\n" . Xml::closeElement( 'td' ) . 
Xml::openElement( 'td' ) . "\n" .
-                               Xml::input( 'upload-url', 50,
-                                       $this->getRequest()->getText( 
'upload-url' ),
-                                       array( 'id' => 
'mw-translate-up-url-input' ) + $class ) .
-                               "\n" . Xml::closeElement( 'td' ) . 
Xml::closeElement( 'tr' ) .
-                               Xml::openElement( 'tr' ) . Xml::openElement( 
'td' ) . "\n"
-               );
+               if( $wgTranslateAllowImportFromUrl === true ) {
+                       $this->getOutput()->addHTML(
+                               Xml::radioLabel( $this->msg( 
'translate-import-from-url' )->text(),
+                                       'upload-type', 'url', 
'mw-translate-up-url',
+                                       $this->getRequest()->getText( 
'upload-type' ) === 'url' ) .
+                                       "\n" . Xml::closeElement( 'td' ) . 
Xml::openElement( 'td' ) . "\n" .
+                                       Xml::input( 'upload-url', 50,
+                                               $this->getRequest()->getText( 
'upload-url' ),
+                                               array( 'id' => 
'mw-translate-up-url-input' ) + $class ) .
+                                       "\n" . Xml::closeElement( 'td' ) . 
Xml::closeElement( 'tr' ) .
+                                       Xml::openElement( 'tr' ) . 
Xml::openElement( 'td' ) . "\n"
+                       );
+               }
 
                $this->getOutput()->addHTML(
                        Xml::radioLabel( $this->msg( 
'translate-import-from-wiki' )->text(),
@@ -181,9 +185,11 @@
         * @return array
         */
        protected function loadFile( &$filedata ) {
+               global $wgTranslateAllowImportFromUrl;
+
                $source = $this->getRequest()->getText( 'upload-type' );
 
-               if ( $source === 'url' ) {
+               if ( $source === 'url' && $wgTranslateAllowImportFromUrl === 
true ) {
                        $url = $this->getRequest()->getText( 'upload-url' );
                        $filedata = Http::get( $url );
                        if ( $filedata ) {

-- 
To view, visit https://gerrit.wikimedia.org/r/60983
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I01057787abcf9cbcf9796cac7750134858ebff7b
Gerrit-PatchSet: 4
Gerrit-Project: mediawiki/extensions/Translate
Gerrit-Branch: master
Gerrit-Owner: Siebrand <siebr...@wikimedia.org>
Gerrit-Reviewer: CSteipp <cste...@wikimedia.org>
Gerrit-Reviewer: Nikerabbit <niklas.laxst...@gmail.com>
Gerrit-Reviewer: jenkins-bot

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to