[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Make anchor for headlines escape > and

2017-11-14 Thread Reedy (Code Review) 
Reedy has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/391379 )

Change subject: SECURITY: Make anchor for headlines escape > and <
..


SECURITY: Make anchor for headlines escape > and <

As a hardening step against language converter and its crazy regexes.

Bug: T125163
Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
---
M RELEASE-NOTES-1.27
M includes/Linker.php
2 files changed, 9 insertions(+), 6 deletions(-)



diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 2f7a2e9..1fb2380 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -24,6 +24,7 @@
 * (T128209) SECURITY: Reflected File Download from api.php.
 * (T134100) SECURITY: Do not reveal if user exists during login failure.
 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
+* (T125163) SECURITY: Make anchor for headlines escape > and <.
 
 == MediaWiki 1.27.3 ==
 Due to a packaging error, the wrong version of the SyntaxHighlight extension 
was
diff --git a/includes/Linker.php b/includes/Linker.php
index 5717fba..70488c5 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -1789,22 +1789,24 @@
 *   a space and ending with '>'
 *   This *must* be at least '>' for no attribs
 * @param string $anchor The anchor to give the headline (the bit after 
the #)
-* @param string $html Html for the text of the header
+* @param string $html HTML for the text of the header
 * @param string $link HTML to add for the section edit link
-* @param bool|string $legacyAnchor A second, optional anchor to give 
for
+* @param string|bool $fallbackAnchor A second, optional anchor to give 
for
 *   backward compatibility (false to omit)
 *
 * @return string HTML headline
 */
public static function makeHeadline( $level, $attribs, $anchor, $html,
-   $link, $legacyAnchor = false
+   $link, $fallbackAnchor = false
) {
+   $anchorEscaped = htmlspecialchars( $anchor );
$ret = "
Gerrit-Reviewer: MaxSem 
Gerrit-Reviewer: Reedy 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Make anchor for headlines escape > and

2017-11-14 Thread Reedy (Code Review) 
Reedy has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/391379 )

Change subject: SECURITY: Make anchor for headlines escape > and <
..

SECURITY: Make anchor for headlines escape > and <

As a hardening step against language converter and its crazy regexes.

Bug: T125163
Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
---
M RELEASE-NOTES-1.27
M includes/Linker.php
2 files changed, 9 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/79/391379/1

diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 2f7a2e9..1fb2380 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -24,6 +24,7 @@
 * (T128209) SECURITY: Reflected File Download from api.php.
 * (T134100) SECURITY: Do not reveal if user exists during login failure.
 * (T176247) SECURITY: Ensure Message::rawParams can't lead to XSS.
+* (T125163) SECURITY: Make anchor for headlines escape > and <.
 
 == MediaWiki 1.27.3 ==
 Due to a packaging error, the wrong version of the SyntaxHighlight extension 
was
diff --git a/includes/Linker.php b/includes/Linker.php
index 5717fba..70488c5 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -1789,22 +1789,24 @@
 *   a space and ending with '>'
 *   This *must* be at least '>' for no attribs
 * @param string $anchor The anchor to give the headline (the bit after 
the #)
-* @param string $html Html for the text of the header
+* @param string $html HTML for the text of the header
 * @param string $link HTML to add for the section edit link
-* @param bool|string $legacyAnchor A second, optional anchor to give 
for
+* @param string|bool $fallbackAnchor A second, optional anchor to give 
for
 *   backward compatibility (false to omit)
 *
 * @return string HTML headline
 */
public static function makeHeadline( $level, $attribs, $anchor, $html,
-   $link, $legacyAnchor = false
+   $link, $fallbackAnchor = false
) {
+   $anchorEscaped = htmlspecialchars( $anchor );
$ret = "
Gerrit-Reviewer: MaxSem 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits