r104505 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r104504‎ | r104505 | r104506 >
Date:23:18, 28 November 2011
Author:reedy
Status:ok (Comments)
Tags:
Comment:
* (bug 32276) Skins were generating output using the internal page title which would allow anonymous users to determine wheter a page exists, potentially leaking private data. In fact, the curid and oldid request parameters would
allow page titles to be enumerated even when they are not guessable.
* (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis.
Modified paths:
  • /trunk/phase3/includes/AjaxDispatcher.php (modified) (history)
  • /trunk/phase3/includes/OutputPage.php (modified) (history)
  • /trunk/phase3/includes/SkinTemplate.php (modified) (history)
  • /trunk/phase3/includes/Wiki.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/OutputPage.php
@@ -2029,7 +2029,13 @@
20302030 || ( isset( $wgGroupPermissions['autoconfirmed'][$action] ) && $wgGroupPermissions['autoconfirmed'][$action] ) )
20312031 ) {
20322032 $displayReturnto = null;
2033 - $returnto = $this->getTitle();
 2033+
 2034+ # Due to bug 32276, if a user does not have read permissions,
 2035+ # $this->getTitle() will just give Special:Badtitle, which is
 2036+ # not especially useful as a returnto parameter. Use the title
 2037+ # from the request instead, if there was one.
 2038+ $request = $this->getRequest();
 2039+ $returnto = Title::newFromURL( $request->getVal( 'title', '' ) );
20342040 if ( $action == 'edit' ) {
20352041 $msg = 'whitelistedittext';
20362042 $displayReturnto = $returnto;
@@ -2043,9 +2049,10 @@
20442050 }
20452051
20462052 $query = array();
 2053+
20472054 if ( $returnto ) {
20482055 $query['returnto'] = $returnto->getPrefixedText();
2049 - $request = $this->getRequest();
 2056+
20502057 if ( !$request->wasPosted() ) {
20512058 $returntoquery = $request->getValues();
20522059 unset( $returntoquery['title'] );
Index: trunk/phase3/includes/AjaxDispatcher.php
@@ -68,7 +68,7 @@
6969 * request.
7070 */
7171 function performAction() {
72 - global $wgAjaxExportList, $wgOut;
 72+ global $wgAjaxExportList, $wgOut, $wgUser;
7373
7474 if ( empty( $this->mode ) ) {
7575 return;
@@ -84,6 +84,13 @@
8585 'Bad Request',
8686 "unknown function " . (string) $this->func_name
8787 );
 88+ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
 89+ && !$wgUser->isAllowed( 'read' ) )
 90+ {
 91+ wfHttpError(
 92+ 403,
 93+ 'Forbidden',
 94+ 'You must log in to view pages.' );
8895 } else {
8996 wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
9097
Index: trunk/phase3/includes/Wiki.php
@@ -133,7 +133,7 @@
134134 * @return void
135135 */
136136 private function performRequest() {
137 - global $wgServer, $wgUsePathInfo;
 137+ global $wgServer, $wgUsePathInfo, $wgTitle;
138138
139139 wfProfileIn( __METHOD__ );
140140
@@ -163,6 +163,20 @@
164164 // We will check again in Article::view().
165165 $permErrors = $title->getUserPermissionsErrors( 'read', $user );
166166 if ( count( $permErrors ) ) {
 167+ // Bug 32276: allowing the skin to generate output with $wgTitle or
 168+ // $this->context->title set to the input title would allow anonymous users to
 169+ // determine whether a page exists, potentially leaking private data. In fact, the
 170+ // curid and oldid request parameters would allow page titles to be enumerated even
 171+ // when they are not guessable. So we reset the title to Special:Badtitle before the
 172+ // permissions error is displayed.
 173+ //
 174+ // The skin mostly uses $this->context->getTitle() these days, but some extensions
 175+ // still use $wgTitle.
 176+
 177+ $badTitle = SpecialPage::getTitleFor( 'Badtitle' );
 178+ $this->context->setTitle( $badTitle );
 179+ $wgTitle = $badTitle;
 180+
167181 wfProfileOut( __METHOD__ );
168182 throw new PermissionsError( 'read', $permErrors );
169183 }
Index: trunk/phase3/includes/SkinTemplate.php
@@ -544,11 +544,19 @@
545545 /* set up the default links for the personal toolbar */
546546 $personal_urls = array();
547547
548 - $page = $request->getVal( 'returnto', $this->thispage );
549 - $query = $request->getVal( 'returntoquery', $this->thisquery );
550 - $a = array( 'returnto' => $page );
551 - if( $query != '' ) {
552 - $a['returntoquery'] = $query;
 548+ # Due to bug 32276, if a user does not have read permissions,
 549+ # $this->getTitle() will just give Special:Badtitle, which is
 550+ # not especially useful as a returnto parameter. Use the title
 551+ # from the request instead, if there was one.
 552+ $page = Title::newFromURL( $request->getVal( 'title', '' ) );
 553+ $page = $request->getVal( 'returnto', $page );
 554+ $a = array();
 555+ if ( strval( $page ) !== '' ) {
 556+ $a['returnto'] = $page;
 557+ $query = $request->getVal( 'returntoquery', $this->thisquery );
 558+ if( $query != '' ) {
 559+ $a['returntoquery'] = $query;
 560+ }
553561 }
554562 $returnto = wfArrayToCGI( $a );
555563 if( $this->loggedin ) {

Follow-up revisions

RevisionCommit summaryAuthorDate
r104506* (bug 32276) Skins were generating output using the internal page title whic...reedy23:28, 28 November 2011
r104508* (bug 32276) Skins were generating output using the internal page title whic...reedy23:30, 28 November 2011
r104509* (bug 32276) Skins were generating output using the internal page title whic...reedy23:31, 28 November 2011
r106170Bug 32709: private Wiki users were always taken to Special:Badtitle on login...hashar09:41, 14 December 2011
r106171Bug 32709: private Wiki users were always taken to Special:Badtitle on login...hashar09:41, 14 December 2011

Comments

#Comment by Hashar (talk | contribs)   23:55, 28 November 2011

Part of this patch was originally made by IAlex and reviewed/amended by Tim Starling and myself.

Status & tagging log