[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Make anchor for headlines escape > and
Reedy has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/391379 ) Change subject: SECURITY: Make anchor for headlines escape > and < .. SECURITY: Make anchor for headlines escape > and < As a hardening step against language converter and its crazy regexes. Bug: T125163 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5 --- M RELEASE-NOTES-1.27 M includes/Linker.php 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 2f7a2e9..1fb2380 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -24,6 +24,7 @@ * (T128209) SECURITY: Reflected File Download from api.php. * (T134100) SECURITY: Do not reveal if user exists during login failure. * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/Linker.php b/includes/Linker.php index 5717fba..70488c5 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -1789,22 +1789,24 @@ * a space and ending with '>' * This *must* be at least '>' for no attribs * @param string $anchor The anchor to give the headline (the bit after the #) -* @param string $html Html for the text of the header +* @param string $html HTML for the text of the header * @param string $link HTML to add for the section edit link -* @param bool|string $legacyAnchor A second, optional anchor to give for +* @param string|bool $fallbackAnchor A second, optional anchor to give for * backward compatibility (false to omit) * * @return string HTML headline */ public static function makeHeadline( $level, $attribs, $anchor, $html, - $link, $legacyAnchor = false + $link, $fallbackAnchor = false ) { + $anchorEscaped = htmlspecialchars( $anchor ); $ret = "Gerrit-Reviewer: MaxSem Gerrit-Reviewer: Reedy ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Make anchor for headlines escape > and
Reedy has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/391379 ) Change subject: SECURITY: Make anchor for headlines escape > and < .. SECURITY: Make anchor for headlines escape > and < As a hardening step against language converter and its crazy regexes. Bug: T125163 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5 --- M RELEASE-NOTES-1.27 M includes/Linker.php 2 files changed, 9 insertions(+), 6 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/79/391379/1 diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 2f7a2e9..1fb2380 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -24,6 +24,7 @@ * (T128209) SECURITY: Reflected File Download from api.php. * (T134100) SECURITY: Do not reveal if user exists during login failure. * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS. +* (T125163) SECURITY: Make anchor for headlines escape > and <. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/Linker.php b/includes/Linker.php index 5717fba..70488c5 100644 --- a/includes/Linker.php +++ b/includes/Linker.php @@ -1789,22 +1789,24 @@ * a space and ending with '>' * This *must* be at least '>' for no attribs * @param string $anchor The anchor to give the headline (the bit after the #) -* @param string $html Html for the text of the header +* @param string $html HTML for the text of the header * @param string $link HTML to add for the section edit link -* @param bool|string $legacyAnchor A second, optional anchor to give for +* @param string|bool $fallbackAnchor A second, optional anchor to give for * backward compatibility (false to omit) * * @return string HTML headline */ public static function makeHeadline( $level, $attribs, $anchor, $html, - $link, $legacyAnchor = false + $link, $fallbackAnchor = false ) { + $anchorEscaped = htmlspecialchars( $anchor ); $ret = "Gerrit-Reviewer: MaxSem ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits