subject:"\[MediaWiki\-commits\] \[Gerrit\] mediawiki\/core\[REL1_27\]\: SECURITY\: Do not directly redirect to interwikis, but use sp..."

[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Do not directly redirect to interwikis, but use sp...

2017-04-06 Thread jenkins-bot (Code Review)

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/346848 )

Change subject: SECURITY: Do not directly redirect to interwikis, but use 
splash page
..


SECURITY: Do not directly redirect to interwikis, but use splash page

Directly redirecting based on a url paramter might potentially
be used in a phishing attack to confuse users.

Bug: T109140
Bug: T122209
Change-Id: I6c604439320fa876719933cc7f3a3ff04fb1a6ad
---
M RELEASE-NOTES-1.27
M autoload.php
M includes/OutputPage.php
M includes/Title.php
M includes/specialpage/RedirectSpecialPage.php
M includes/specialpage/SpecialPageFactory.php
M includes/specials/SpecialChangeCredentials.php
M includes/specials/SpecialChangeEmail.php
A includes/specials/SpecialGoToInterwiki.php
M includes/specials/SpecialPageLanguage.php
M includes/specials/SpecialPreferences.php
M includes/specials/SpecialSearch.php
M includes/specials/helpers/LoginHelper.php
M languages/i18n/en.json
M languages/i18n/qqq.json
M languages/messages/MessagesEn.php
16 files changed, 129 insertions(+), 10 deletions(-)

Approvals:
  Chad: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 3a496f2..3df89e0 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -23,6 +23,8 @@
 * (T145635) Fix too long index error when installing with MSSQL.
 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is 
installed.
+* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow 
redirect
+  to interwiki links.
 
 == MediaWiki 1.27.1 ==
 
diff --git a/autoload.php b/autoload.php
index f36e613..dbba50d 100644
--- a/autoload.php
+++ b/autoload.php
@@ -1255,6 +1255,7 @@
'SpecialExpandTemplates' => __DIR__ . 
'/includes/specials/SpecialExpandTemplates.php',
'SpecialExport' => __DIR__ . '/includes/specials/SpecialExport.php',
'SpecialFilepath' => __DIR__ . '/includes/specials/SpecialFilepath.php',
+   'SpecialGoToInterwiki' => __DIR__ . 
'/includes/specials/SpecialGoToInterwiki.php',
'SpecialImport' => __DIR__ . '/includes/specials/SpecialImport.php',
'SpecialJavaScriptTest' => __DIR__ . 
'/includes/specials/SpecialJavaScriptTest.php',
'SpecialLinkAccounts' => __DIR__ . 
'/includes/specials/SpecialLinkAccounts.php',
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 1985ab4..e5be2c7 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2639,7 +2639,9 @@
} else {
$titleObj = Title::newFromText( $returnto );
}
-   if ( !is_object( $titleObj ) ) {
+   // We don't want people to return to external interwiki. That
+   // might potentially be used as part of a phishing scheme
+   if ( !is_object( $titleObj ) || $titleObj->isExternal() ) {
$titleObj = Title::newMainPage();
}
 
diff --git a/includes/Title.php b/includes/Title.php
index 589130d..6ba53d6 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -1682,6 +1682,33 @@
}
 
/**
+* Get a url appropriate for making redirects based on an untrusted url 
arg
+*
+* This is basically the same as getFullUrl(), but in the case of 
external
+* interwikis, we send the user to a landing page, to prevent possible
+* phishing attacks and the like.
+*
+* @note Uses current protocol by default, since technically relative 
urls
+*   aren't allowed in redirects per HTTP spec, so this is not suitable 
for
+*   places where the url gets cached, as might pollute between
+*   https and non-https users.
+* @see self::getLocalURL for the arguments.
+* @param array|string $query
+* @param string $proto Protocol type to use in URL
+* @return String. A url suitable to use in an HTTP location header.
+*/
+   public function getFullUrlForRedirect( $query = '', $proto = 
PROTO_CURRENT ) {
+   $target = $this;
+   if ( $this->isExternal() ) {
+   $target = SpecialPage::getTitleFor(
+   'GoToInterwiki',
+   $this->getPrefixedDBKey()
+   );
+   }
+   return $target->getFullUrl( $query, false, $proto );
+   }
+
+   /**
 * Get a URL with no fragment or server name (relative URL) from a 
Title object.
 * If this page is generated with action=render, however,
 * $wgServer is prepended to make an absolute URL.
diff --git a/includes/specialpage/RedirectSpecialPage.php 
b/includes/specialpage/RedirectSpecialPage.php
index ea7d783..01787d3 100644
---

[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Do not directly redirect to interwikis, but use sp...

2017-04-06 Thread Chad (Code Review)

Chad has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/346848 )

Change subject: SECURITY: Do not directly redirect to interwikis, but use 
splash page
..

SECURITY: Do not directly redirect to interwikis, but use splash page

Directly redirecting based on a url paramter might potentially
be used in a phishing attack to confuse users.

Bug: T109140
Bug: T122209
Change-Id: I6c604439320fa876719933cc7f3a3ff04fb1a6ad
---
M RELEASE-NOTES-1.27
M autoload.php
M includes/OutputPage.php
M includes/Title.php
M includes/specialpage/RedirectSpecialPage.php
M includes/specialpage/SpecialPageFactory.php
M includes/specials/SpecialChangeCredentials.php
M includes/specials/SpecialChangeEmail.php
A includes/specials/SpecialGoToInterwiki.php
M includes/specials/SpecialPageLanguage.php
M includes/specials/SpecialPreferences.php
M includes/specials/SpecialSearch.php
M includes/specials/helpers/LoginHelper.php
M languages/i18n/en.json
M languages/i18n/qqq.json
M languages/messages/MessagesEn.php
16 files changed, 129 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/48/346848/1

diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 3a496f2..3df89e0 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -23,6 +23,8 @@
 * (T145635) Fix too long index error when installing with MSSQL.
 * (T156184) $wgRawHtml will no longer apply to internationalization messages.
 * (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is 
installed.
+* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow 
redirect
+  to interwiki links.
 
 == MediaWiki 1.27.1 ==
 
diff --git a/autoload.php b/autoload.php
index f36e613..dbba50d 100644
--- a/autoload.php
+++ b/autoload.php
@@ -1255,6 +1255,7 @@
'SpecialExpandTemplates' => __DIR__ . 
'/includes/specials/SpecialExpandTemplates.php',
'SpecialExport' => __DIR__ . '/includes/specials/SpecialExport.php',
'SpecialFilepath' => __DIR__ . '/includes/specials/SpecialFilepath.php',
+   'SpecialGoToInterwiki' => __DIR__ . 
'/includes/specials/SpecialGoToInterwiki.php',
'SpecialImport' => __DIR__ . '/includes/specials/SpecialImport.php',
'SpecialJavaScriptTest' => __DIR__ . 
'/includes/specials/SpecialJavaScriptTest.php',
'SpecialLinkAccounts' => __DIR__ . 
'/includes/specials/SpecialLinkAccounts.php',
diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 1985ab4..e5be2c7 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -2639,7 +2639,9 @@
} else {
$titleObj = Title::newFromText( $returnto );
}
-   if ( !is_object( $titleObj ) ) {
+   // We don't want people to return to external interwiki. That
+   // might potentially be used as part of a phishing scheme
+   if ( !is_object( $titleObj ) || $titleObj->isExternal() ) {
$titleObj = Title::newMainPage();
}
 
diff --git a/includes/Title.php b/includes/Title.php
index 589130d..6ba53d6 100644
--- a/includes/Title.php
+++ b/includes/Title.php
@@ -1682,6 +1682,33 @@
}
 
/**
+* Get a url appropriate for making redirects based on an untrusted url 
arg
+*
+* This is basically the same as getFullUrl(), but in the case of 
external
+* interwikis, we send the user to a landing page, to prevent possible
+* phishing attacks and the like.
+*
+* @note Uses current protocol by default, since technically relative 
urls
+*   aren't allowed in redirects per HTTP spec, so this is not suitable 
for
+*   places where the url gets cached, as might pollute between
+*   https and non-https users.
+* @see self::getLocalURL for the arguments.
+* @param array|string $query
+* @param string $proto Protocol type to use in URL
+* @return String. A url suitable to use in an HTTP location header.
+*/
+   public function getFullUrlForRedirect( $query = '', $proto = 
PROTO_CURRENT ) {
+   $target = $this;
+   if ( $this->isExternal() ) {
+   $target = SpecialPage::getTitleFor(
+   'GoToInterwiki',
+   $this->getPrefixedDBKey()
+   );
+   }
+   return $target->getFullUrl( $query, false, $proto );
+   }
+
+   /**
 * Get a URL with no fragment or server name (relative URL) from a 
Title object.
 * If this page is generated with action=render, however,
 * $wgServer is prepended to make an absolute URL.
diff --git a/includes/specialpage/RedirectSpecialPage.php 
b/includes/specialpage/RedirectSpecialPage.php
index ea7d783..01787d3 100644
---

[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Do not directly redirect to interwikis, but use sp...

[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Do not directly redirect to interwikis, but use sp...

2 matches

Site Navigation

Mail list logo

Footer information