[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Do not directly redirect to interwikis, but use sp...
jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/346848 ) Change subject: SECURITY: Do not directly redirect to interwikis, but use splash page .. SECURITY: Do not directly redirect to interwikis, but use splash page Directly redirecting based on a url paramter might potentially be used in a phishing attack to confuse users. Bug: T109140 Bug: T122209 Change-Id: I6c604439320fa876719933cc7f3a3ff04fb1a6ad --- M RELEASE-NOTES-1.27 M autoload.php M includes/OutputPage.php M includes/Title.php M includes/specialpage/RedirectSpecialPage.php M includes/specialpage/SpecialPageFactory.php M includes/specials/SpecialChangeCredentials.php M includes/specials/SpecialChangeEmail.php A includes/specials/SpecialGoToInterwiki.php M includes/specials/SpecialPageLanguage.php M includes/specials/SpecialPreferences.php M includes/specials/SpecialSearch.php M includes/specials/helpers/LoginHelper.php M languages/i18n/en.json M languages/i18n/qqq.json M languages/messages/MessagesEn.php 16 files changed, 129 insertions(+), 10 deletions(-) Approvals: Chad: Looks good to me, approved jenkins-bot: Verified diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 3a496f2..3df89e0 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -23,6 +23,8 @@ * (T145635) Fix too long index error when installing with MSSQL. * (T156184) $wgRawHtml will no longer apply to internationalization messages. * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect + to interwiki links. == MediaWiki 1.27.1 == diff --git a/autoload.php b/autoload.php index f36e613..dbba50d 100644 --- a/autoload.php +++ b/autoload.php @@ -1255,6 +1255,7 @@ 'SpecialExpandTemplates' => __DIR__ . '/includes/specials/SpecialExpandTemplates.php', 'SpecialExport' => __DIR__ . '/includes/specials/SpecialExport.php', 'SpecialFilepath' => __DIR__ . '/includes/specials/SpecialFilepath.php', + 'SpecialGoToInterwiki' => __DIR__ . '/includes/specials/SpecialGoToInterwiki.php', 'SpecialImport' => __DIR__ . '/includes/specials/SpecialImport.php', 'SpecialJavaScriptTest' => __DIR__ . '/includes/specials/SpecialJavaScriptTest.php', 'SpecialLinkAccounts' => __DIR__ . '/includes/specials/SpecialLinkAccounts.php', diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 1985ab4..e5be2c7 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -2639,7 +2639,9 @@ } else { $titleObj = Title::newFromText( $returnto ); } - if ( !is_object( $titleObj ) ) { + // We don't want people to return to external interwiki. That + // might potentially be used as part of a phishing scheme + if ( !is_object( $titleObj ) || $titleObj->isExternal() ) { $titleObj = Title::newMainPage(); } diff --git a/includes/Title.php b/includes/Title.php index 589130d..6ba53d6 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -1682,6 +1682,33 @@ } /** +* Get a url appropriate for making redirects based on an untrusted url arg +* +* This is basically the same as getFullUrl(), but in the case of external +* interwikis, we send the user to a landing page, to prevent possible +* phishing attacks and the like. +* +* @note Uses current protocol by default, since technically relative urls +* aren't allowed in redirects per HTTP spec, so this is not suitable for +* places where the url gets cached, as might pollute between +* https and non-https users. +* @see self::getLocalURL for the arguments. +* @param array|string $query +* @param string $proto Protocol type to use in URL +* @return String. A url suitable to use in an HTTP location header. +*/ + public function getFullUrlForRedirect( $query = '', $proto = PROTO_CURRENT ) { + $target = $this; + if ( $this->isExternal() ) { + $target = SpecialPage::getTitleFor( + 'GoToInterwiki', + $this->getPrefixedDBKey() + ); + } + return $target->getFullUrl( $query, false, $proto ); + } + + /** * Get a URL with no fragment or server name (relative URL) from a Title object. * If this page is generated with action=render, however, * $wgServer is prepended to make an absolute URL. diff --git a/includes/specialpage/RedirectSpecialPage.php b/includes/specialpage/RedirectSpecialPage.php index ea7d783..01787d3 100644 ---
[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Do not directly redirect to interwikis, but use sp...
Chad has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/346848 ) Change subject: SECURITY: Do not directly redirect to interwikis, but use splash page .. SECURITY: Do not directly redirect to interwikis, but use splash page Directly redirecting based on a url paramter might potentially be used in a phishing attack to confuse users. Bug: T109140 Bug: T122209 Change-Id: I6c604439320fa876719933cc7f3a3ff04fb1a6ad --- M RELEASE-NOTES-1.27 M autoload.php M includes/OutputPage.php M includes/Title.php M includes/specialpage/RedirectSpecialPage.php M includes/specialpage/SpecialPageFactory.php M includes/specials/SpecialChangeCredentials.php M includes/specials/SpecialChangeEmail.php A includes/specials/SpecialGoToInterwiki.php M includes/specials/SpecialPageLanguage.php M includes/specials/SpecialPreferences.php M includes/specials/SpecialSearch.php M includes/specials/helpers/LoginHelper.php M languages/i18n/en.json M languages/i18n/qqq.json M languages/messages/MessagesEn.php 16 files changed, 129 insertions(+), 10 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/48/346848/1 diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 3a496f2..3df89e0 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -23,6 +23,8 @@ * (T145635) Fix too long index error when installing with MSSQL. * (T156184) $wgRawHtml will no longer apply to internationalization messages. * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed. +* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect + to interwiki links. == MediaWiki 1.27.1 == diff --git a/autoload.php b/autoload.php index f36e613..dbba50d 100644 --- a/autoload.php +++ b/autoload.php @@ -1255,6 +1255,7 @@ 'SpecialExpandTemplates' => __DIR__ . '/includes/specials/SpecialExpandTemplates.php', 'SpecialExport' => __DIR__ . '/includes/specials/SpecialExport.php', 'SpecialFilepath' => __DIR__ . '/includes/specials/SpecialFilepath.php', + 'SpecialGoToInterwiki' => __DIR__ . '/includes/specials/SpecialGoToInterwiki.php', 'SpecialImport' => __DIR__ . '/includes/specials/SpecialImport.php', 'SpecialJavaScriptTest' => __DIR__ . '/includes/specials/SpecialJavaScriptTest.php', 'SpecialLinkAccounts' => __DIR__ . '/includes/specials/SpecialLinkAccounts.php', diff --git a/includes/OutputPage.php b/includes/OutputPage.php index 1985ab4..e5be2c7 100644 --- a/includes/OutputPage.php +++ b/includes/OutputPage.php @@ -2639,7 +2639,9 @@ } else { $titleObj = Title::newFromText( $returnto ); } - if ( !is_object( $titleObj ) ) { + // We don't want people to return to external interwiki. That + // might potentially be used as part of a phishing scheme + if ( !is_object( $titleObj ) || $titleObj->isExternal() ) { $titleObj = Title::newMainPage(); } diff --git a/includes/Title.php b/includes/Title.php index 589130d..6ba53d6 100644 --- a/includes/Title.php +++ b/includes/Title.php @@ -1682,6 +1682,33 @@ } /** +* Get a url appropriate for making redirects based on an untrusted url arg +* +* This is basically the same as getFullUrl(), but in the case of external +* interwikis, we send the user to a landing page, to prevent possible +* phishing attacks and the like. +* +* @note Uses current protocol by default, since technically relative urls +* aren't allowed in redirects per HTTP spec, so this is not suitable for +* places where the url gets cached, as might pollute between +* https and non-https users. +* @see self::getLocalURL for the arguments. +* @param array|string $query +* @param string $proto Protocol type to use in URL +* @return String. A url suitable to use in an HTTP location header. +*/ + public function getFullUrlForRedirect( $query = '', $proto = PROTO_CURRENT ) { + $target = $this; + if ( $this->isExternal() ) { + $target = SpecialPage::getTitleFor( + 'GoToInterwiki', + $this->getPrefixedDBKey() + ); + } + return $target->getFullUrl( $query, false, $proto ); + } + + /** * Get a URL with no fragment or server name (relative URL) from a Title object. * If this page is generated with action=render, however, * $wgServer is prepended to make an absolute URL. diff --git a/includes/specialpage/RedirectSpecialPage.php b/includes/specialpage/RedirectSpecialPage.php index ea7d783..01787d3 100644 ---