r104508 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r104507‎ | r104508 | r104509 >
Date:23:30, 28 November 2011
Author:reedy
Status:ok
Tags:
Comment:
* (bug 32276) Skins were generating output using the internal page title which would allow anonymous users to determine wheter a page exists, potentially leaking private data. In fact, the curid and oldid request parameters would
allow page titles to be enumerated even when they are not guessable.
* (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis
Modified paths:
  • /branches/REL1_18/phase3/includes/AjaxDispatcher.php (modified) (history)
  • /branches/REL1_18/phase3/includes/SkinTemplate.php (modified) (history)
  • /branches/REL1_18/phase3/includes/Wiki.php (modified) (history)

Diff [purge]

Index: branches/REL1_18/phase3/includes/AjaxDispatcher.php
@@ -68,7 +68,7 @@
6969 * request.
7070 */
7171 function performAction() {
72 - global $wgAjaxExportList, $wgOut;
 72+ global $wgAjaxExportList, $wgOut, $wgUser;
7373
7474 if ( empty( $this->mode ) ) {
7575 return;
@@ -84,6 +84,13 @@
8585 'Bad Request',
8686 "unknown function " . (string) $this->func_name
8787 );
 88+ } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true )
 89+ && !$wgUser->isAllowed( 'read' ) )
 90+ {
 91+ wfHttpError(
 92+ 403,
 93+ 'Forbidden',
 94+ 'You must log in to view pages.' );
8895 } else {
8996 wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" );
9097
Index: branches/REL1_18/phase3/includes/Wiki.php
@@ -128,7 +128,7 @@
129129 * @return void
130130 */
131131 private function performRequest() {
132 - global $wgServer, $wgUsePathInfo;
 132+ global $wgServer, $wgUsePathInfo, $wgTitle;
133133
134134 wfProfileIn( __METHOD__ );
135135
@@ -145,7 +145,6 @@
146146
147147 wfRunHooks( 'BeforeInitialize',
148148 array( &$title, null, &$output, &$user, $request, $this ) );
149 -
150149 // Invalid titles. Bug 21776: The interwikis must redirect even if the page name is empty.
151150 if ( is_null( $title ) || ( $title->getDBkey() == '' && $title->getInterwiki() == '' ) ||
152151 $title->isSpecial( 'Badtitle' ) )
@@ -157,6 +156,16 @@
158157 // the Read array in order for the user to see it. (We have to check here to
159158 // catch special pages etc. We check again in Article::view())
160159 } elseif ( !$title->userCanRead() ) {
 160+ // Bug 32276: allowing the skin to generate output with $wgTitle
 161+ // set to the input title would allow anonymous users to
 162+ // determine whether a page exists, potentially leaking private data. In fact, the
 163+ // curid and oldid request parameters would allow page titles to be enumerated even
 164+ // when they are not guessable. So we reset the title to Special:Badtitle before the
 165+ // permissions error is displayed.
 166+ $badtitle = SpecialPage::getTitleFor( 'Badtitle' );
 167+ $output->setTitle( $badtitle );
 168+ $wgTitle = $badtitle;
 169+
161170 $output->loginToUse();
162171 // Interwiki redirects
163172 } elseif ( $title->getInterwiki() != '' ) {
Index: branches/REL1_18/phase3/includes/SkinTemplate.php
@@ -580,11 +580,19 @@
581581 /* set up the default links for the personal toolbar */
582582 $personal_urls = array();
583583
584 - $page = $wgRequest->getVal( 'returnto', $this->thispage );
585 - $query = $wgRequest->getVal( 'returntoquery', $this->thisquery );
586 - $a = array( 'returnto' => $page );
587 - if( $query != '' ) {
588 - $a['returntoquery'] = $query;
 584+ # Due to bug 32276, if a user does not have read permissions,
 585+ # $this->getTitle() will just give Special:Badtitle, which is
 586+ # not especially useful as a returnto parameter. Use the title
 587+ # from the request instead, if there was one.
 588+ $page = Title::newFromURL( $wgRequest->getVal( 'title', '' ) );
 589+ $page = $wgRequest->getVal( 'returnto', $page );
 590+ $a = array();
 591+ if ( strval( $page ) !== '' ) {
 592+ $a['returnto'] = $page;
 593+ $query = $wgRequest->getVal( 'returntoquery', $this->thisquery );
 594+ if( $query != '' ) {
 595+ $a['returntoquery'] = $query;
 596+ }
589597 }
590598 $returnto = wfArrayToCGI( $a );
591599 if( $this->loggedin ) {

Follow-up revisions

RevisionCommit summaryAuthorDate
r104509* (bug 32276) Skins were generating output using the internal page title whic...reedy23:31, 28 November 2011
r104511Tagging REL1_18_0 from r104508reedy23:37, 28 November 2011
r106170Bug 32709: private Wiki users were always taken to Special:Badtitle on login...hashar09:41, 14 December 2011
r106171Bug 32709: private Wiki users were always taken to Special:Badtitle on login...hashar09:41, 14 December 2011

Past revisions this follows-up on

RevisionCommit summaryAuthorDate
r104505* (bug 32276) Skins were generating output using the internal page title whic...reedy23:18, 28 November 2011
r104506* (bug 32276) Skins were generating output using the internal page title whic...reedy23:28, 28 November 2011

Status & tagging log