r10833 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r10832‎ | r10833 | r10834 >
Date:23:34, 29 August 2005
Author:vibber
Status:old
Tags:
Comment:
* Security fix for <math>
* Security fix for tables
Modified paths:
  • /trunk/phase3/RELEASE-NOTES (modified) (history)
  • /trunk/phase3/includes/Article.php (modified) (history)
  • /trunk/phase3/includes/Parser.php (modified) (history)
  • /trunk/phase3/maintenance/parserTests.inc (modified) (history)
  • /trunk/phase3/maintenance/parserTests.txt (modified) (history)

Diff [purge]

Index: trunk/phase3/maintenance/parserTests.inc
@@ -303,6 +303,7 @@
304304 'wgDefaultUserOptions' => array(),
305305 'wgNoFollowLinks' => true,
306306 'wgThumbnailScriptPath' => false,
 307+ 'wgUseTeX' => false,
307308 );
308309 $this->savedGlobals = array();
309310 foreach( $settings as $var => $val ) {
Index: trunk/phase3/maintenance/parserTests.txt
@@ -2598,6 +2598,45 @@
25992599 !! end
26002600
26012601
 2602+!! test
 2603+Math section safety when disabled
 2604+!! input
 2605+<math><script>alert(document.cookies);</script></math>
 2606+!! result
 2607+<p>&lt;math&gt;&lt;script&gt;alert(document.cookies);&lt;/script&gt;&lt;/math&gt;
 2608+</p>
 2609+!! end
 2610+
 2611+
 2612+!! test
 2613+Table attribute legitimate extension
 2614+!! input
 2615+{|
 2616+!+ style="<nowiki>color:blue</nowiki>"| status
 2617+|}
 2618+!! result
 2619+<table>
 2620+<tr>
 2621+<th style="color:blue"> status
 2622+</th></tr></table>
 2623+
 2624+!!end
 2625+
 2626+!! test
 2627+Table attribute safety
 2628+!! input
 2629+{|
 2630+!+ style="<nowiki>border-width:expression(0+alert(document.cookie))</nowiki>"| status
 2631+|}
 2632+!! result
 2633+<table>
 2634+<tr>
 2635+<th> status
 2636+</th></tr></table>
 2637+
 2638+!! end
 2639+
 2640+
26022641 TODO:
26032642 more images
26042643 more tables
Index: trunk/phase3/includes/Article.php
@@ -173,6 +173,7 @@
174174 $striparray=array();
175175 $parser=new Parser();
176176 $parser->mOutputType=OT_WIKI;
 177+ $parser->mOptions = new ParserOptions();
177178 $striptext=$parser->strip($text, $striparray, true);
178179
179180 # now that we can be sure that no pseudo-sections are in the source,
@@ -1138,6 +1139,7 @@
11391140 $striparray=array();
11401141 $parser=new Parser();
11411142 $parser->mOutputType=OT_WIKI;
 1143+ $parser->mOptions = new ParserOptions();
11421144 $oldtext=$parser->strip($oldtext, $striparray, true);
11431145
11441146 # now that we can be sure that no pseudo-sections are in the source,
Index: trunk/phase3/includes/Parser.php
@@ -377,16 +377,14 @@
378378 }
379379
380380 # math
381 - $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix);
382 - foreach( $math_content as $marker => $content ){
383 - if( $render ) {
384 - if( $this->mOptions->getUseTeX() ) {
 381+ if( $this->mOptions->getUseTeX() ) {
 382+ $text = Parser::extractTags('math', $text, $math_content, $uniq_prefix);
 383+ foreach( $math_content as $marker => $content ){
 384+ if( $render ) {
385385 $math_content[$marker] = renderMath( $content );
386386 } else {
387 - $math_content[$marker] = '&lt;math&gt;'.$content.'&lt;math&gt;';
 387+ $math_content[$marker] = '<math>'.$content.'</math>';
388388 }
389 - } else {
390 - $math_content[$marker] = '<math>'.$content.'</math>';
391389 }
392390 }
393391
@@ -658,8 +656,11 @@
659657 $fc = substr ( $x , 0 , 1 ) ;
660658 if ( preg_match( '/^(:*)\{\|(.*)$/', $x, $matches ) ) {
661659 $indent_level = strlen( $matches[1] );
 660+
 661+ $attributes = $this->unstripForHTML( $matches[2] );
 662+
662663 $t[$k] = str_repeat( '<dl><dd>', $indent_level ) .
663 - '<table' . Sanitizer::fixTagAttributes ( $matches[2], 'table' ) . '>' ;
 664+ '<table' . Sanitizer::fixTagAttributes ( $attributes, 'table' ) . '>' ;
664665 array_push ( $td , false ) ;
665666 array_push ( $ltd , '' ) ;
666667 array_push ( $tr , false ) ;
@@ -686,7 +687,8 @@
687688 array_push ( $tr , false ) ;
688689 array_push ( $td , false ) ;
689690 array_push ( $ltd , '' ) ;
690 - array_push ( $ltr , Sanitizer::fixTagAttributes ( $x, 'tr' ) ) ;
 691+ $attributes = $this->unstripForHTML( $x );
 692+ array_push ( $ltr , Sanitizer::fixTagAttributes ( $attributes, 'tr' ) ) ;
691693 }
692694 else if ( '|' == $fc || '!' == $fc || '|+' == substr ( $x , 0 , 2 ) ) { # Caption
693695 # $x is a table row
@@ -728,7 +730,10 @@
729731 }
730732 if ( count ( $y ) == 1 )
731733 $y = "{$z}<{$l}>{$y[0]}" ;
732 - else $y = $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($y[0], $l).">{$y[1]}" ;
 734+ else {
 735+ $attributes = $this->unstripForHTML( $y[0] );
 736+ $y = "{$z}<{$l}".Sanitizer::fixTagAttributes($attributes, $l).">{$y[1]}" ;
 737+ }
733738 $t[$k] .= $y ;
734739 array_push ( $td , true ) ;
735740 }
@@ -3307,6 +3312,11 @@
33083313 */
33093314 function attributeStripCallback( &$text, $args ) {
33103315 $text = $this->replaceVariables( $text, $args );
 3316+ $text = $this->unstripForHTML( $text );
 3317+ return $text;
 3318+ }
 3319+
 3320+ function unstripForHTML( $text ) {
33113321 $text = $this->unstrip( $text, $this->mStripState );
33123322 $text = $this->unstripNoWiki( $text, $this->mStripState );
33133323 return $text;
Index: trunk/phase3/RELEASE-NOTES
@@ -72,7 +72,10 @@
7373 * Fix interlanguage links on special pages when extra namespaces configured
7474 * IP privacy fix for blocklist search on autoblocks
7575 * Support for a license selection box on Special:Upload, configurable from MediaWiki:Licenses
 76+* Security fix for <math>
 77+* Security fix for tables
7678
 79+
7780 === Caveats ===
7881
7982 Some output, particularly involving user-supplied inline HTML, may not

Follow-up revisions

RevisionCommit summaryAuthorDate
r105862Better output message for ApiPurgeTests...hashar10:25, 12 December 2011

Status & tagging log