[Bug 66776] New: API output containing is corrupted in non-XML formats

Wed, 18 Jun 2014 04:39:08 -0700 

https://bugzilla.wikimedia.org/show_bug.cgi?id=66776

            Bug ID: 66776
           Summary: API output containing <cross-domain-policy> is
                    corrupted in non-XML formats
           Product: MediaWiki
           Version: 1.24-git
          Hardware: All
               URL: https://www.mediawiki.org/w/api.php?action=query&forma
                    t=json&titles=%3Ccross-domain-policy%3E
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: API
          Assignee: wikibugs-l@lists.wikimedia.org
          Reporter: pleasest...@live.com
                CC: bjor...@wikimedia.org, bryan.tongm...@gmail.com,
                    cste...@wikimedia.org, roan.katt...@gmail.com,
                    s...@reedyboy.net
       Web browser: ---
   Mobile Platform: ---

The wfMangleFlashPolicy() function in OutputHandler.php corrupts API output
containing "<cross-domain-policy>" by replacing the string with
"<NOT-cross-domain-policy>".

https://www.mediawiki.org/w/api.php?action=query&format=json&titles=%3Ccross-domain-policy%3E

https://en.wikipedia.org/w/index.php?title=User:PleaseStand/Sandbox&diff=540155307&oldid=540154194

In 2007, wfMangleFlashPolicy() was added in r19996. About a year later, Adobe
addressed the vulnerability in Flash Player, and six years have since passed.

According to Adobe's website, by default Flash Player 10 only allows
crossdomain.xml at the root ("master-only" meta-policy). So it may be possible
simply to remove the check, which already fails to work on many PHP
configurations (e.g. output_buffering = 4096 from the sample php.ini files).
There is also an "X-Permitted-Cross-Domain-Policies" header that can be sent.

https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.edu.html

Alternatively, ApiFormatJson could be changed to hex-escape < and > (by
removing the FormatJson::XMLMETA_OK flag), though that would do nothing to fix
the other (deprecated?) non-XML output formats (e.g. PHP), action=raw, and so
on.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to