Index: trunk/extensions/RSS/RSSHooks.php |
— | — | @@ -1,6 +1,7 @@ |
2 | 2 | <?php |
3 | 3 | |
4 | 4 | class RSSHooks { |
| 5 | + |
5 | 6 | /** |
6 | 7 | * Tell the parser how to handle <rss> elements |
7 | 8 | * @param $parser Parser Object |
— | — | @@ -20,7 +21,7 @@ |
21 | 22 | * @param $frame PPFrame parser context |
22 | 23 | */ |
23 | 24 | static function renderRss( $input, $args, $parser, $frame ) { |
24 | | - global $wgRSSCacheAge, $wgRSSCacheCompare, $wgRSSNamespaces, $wgRSSAllowedFeeds; |
| 25 | + global $wgRSSCacheAge, $wgRSSCacheCompare, $wgRSSNamespaces, $wgRSSUrlWhitelist; |
25 | 26 | |
26 | 27 | if ( is_array( $wgRSSNamespaces ) && count( $wgRSSNamespaces ) ) { |
27 | 28 | $ns = $parser->getTitle()->getNamespace(); |
— | — | @@ -31,10 +32,32 @@ |
32 | 33 | } |
33 | 34 | } |
34 | 35 | |
35 | | - if ( count( $wgRSSAllowedFeeds ) && !in_array( $input, $wgRSSAllowedFeeds ) ) { |
36 | | - return wfMsg( 'rss-url-permission' ); |
| 36 | + switch ( true ) { |
| 37 | + |
| 38 | + # disallow because there is no whitelist or emtpy whitelist |
| 39 | + case ( !isset( $wgRSSUrlWhitelist ) |
| 40 | + || !is_array( $wgRSSUrlWhitelist ) |
| 41 | + || ( count( $wgRSSUrlWhitelist ) === 0 ) ): |
| 42 | + return RSSUtils::RSSError( 'rss-empty-whitelist', |
| 43 | + $input |
| 44 | + ); |
| 45 | + break; |
| 46 | + |
| 47 | + # allow |
| 48 | + case ( in_array( "*", $wgRSSUrlWhitelist ) ): |
| 49 | + case ( in_array( $input, $wgRSSUrlWhitelist ) ): |
| 50 | + break; |
| 51 | + |
| 52 | + # otherwise disallow |
| 53 | + case ( !in_array( $input, $wgRSSUrlWhitelist ) ): |
| 54 | + default: |
| 55 | + $listOfAllowed = $parser->getFunctionLang()->listToText( $wgRSSUrlWhitelist ); |
| 56 | + $numberAllowed = $parser->getFunctionLang()->formatNum( count( $wgRSSUrlWhitelist ) ); |
| 57 | + return RSSUtils::RSSError( 'rss-url-is-not-whitelisted', |
| 58 | + array( $input, $listOfAllowed, $numberAllowed ) |
| 59 | + ); |
37 | 60 | } |
38 | | - |
| 61 | + |
39 | 62 | if ( !Http::isValidURI( $input ) ) { |
40 | 63 | return wfMsg( 'rss-invalid-url', htmlspecialchars( $input ) ); |
41 | 64 | } |
— | — | @@ -61,4 +84,5 @@ |
62 | 85 | |
63 | 86 | return $rss->renderFeed( $parser, $frame ); |
64 | 87 | } |
| 88 | + |
65 | 89 | } |
Index: trunk/extensions/RSS/RELEASE-NOTES |
— | — | @@ -13,6 +13,21 @@ |
14 | 14 | * bug 30028 "Error parsing XML for RSS" - improve and harden Extension:RSS when |
15 | 15 | parsing differently flavoured RSS feeds |
16 | 16 | |
| 17 | +=== Version 1.94 2012-02-23 === |
| 18 | +* changed white list definition and behaviour: |
| 19 | + |
| 20 | + 1. changed the name from $wgRSSAllowedFeeds to $wgRSSUrlWhitelist |
| 21 | + 2. behaviour has been changed |
| 22 | + |
| 23 | + the new behaviour is: |
| 24 | + $wgRSSUrlWhitelist is empty by default. Since version 1.94 it must be |
| 25 | + expressly set to an array( list-of-comma-separated-allowed-RSS-urls-strings ) |
| 26 | + or set to array( "*" ) if you want to allow any url |
| 27 | + |
| 28 | + the old behaviour was: |
| 29 | + $wgRSSAllowedFeeds was empty by default and empty meant that every Url |
| 30 | + was allowed by default. This has been changed, see new behaviour. |
| 31 | + |
17 | 32 | === Version 1.92 2012-02-13 === |
18 | 33 | * added optional date= attribute and $wgRSSDateDefaultFormat parameter |
19 | 34 | * added optional item-max-length= attribute and $wgRSSItemMaxLength parameter |
Index: trunk/extensions/RSS/RSSParser.php |
— | — | @@ -230,11 +230,33 @@ |
231 | 231 | $headers['If-Modified-Since'] = $lm; |
232 | 232 | } |
233 | 233 | |
234 | | - $client = HttpRequest::factory( $this->url, array( |
235 | | - 'timeout' => $wgRSSFetchTimeout, |
236 | | - 'proxy' => $wgRSSProxy |
| 234 | + /** |
| 235 | + * 'noProxy' can conditionally be set as shown in the commented |
| 236 | + * example below; in HttpRequest 'noProxy' takes precedence over |
| 237 | + * any value of 'proxy' and disables the use of a proxy. |
| 238 | + * |
| 239 | + * This is useful if you run the wiki in an intranet and need to |
| 240 | + * access external feed urls through a proxy but internal feed |
| 241 | + * urls must be accessed without a proxy. |
| 242 | + * |
| 243 | + * The general handling of such cases will be subject of a |
| 244 | + * forthcoming version. |
| 245 | + */ |
237 | 246 | |
238 | | - ) ); |
| 247 | + $url = $this->url; |
| 248 | + $noProxy = false; |
| 249 | + |
| 250 | + // Example for disabling proxy use for certain urls |
| 251 | + // $noProxy = preg_match( '!\.internal\.example\.com$!i', parse_url( $url, PHP_URL_HOST ) ); |
| 252 | + |
| 253 | + $client = HttpRequest::factory( $url, |
| 254 | + array( |
| 255 | + 'timeout' => $wgRSSFetchTimeout, |
| 256 | + 'proxy' => $wgRSSProxy, |
| 257 | + 'noProxy' => $noProxy, |
| 258 | + ) |
| 259 | + ); |
| 260 | + |
239 | 261 | $client->setUserAgent( $wgRSSUserAgent ); |
240 | 262 | foreach ( $headers as $header => $value ) { |
241 | 263 | $client->setHeader( $header, $value ); |
— | — | @@ -524,3 +546,25 @@ |
525 | 547 | return sprintf( $styleStart, $bgcolor[$index], $color[$index] ) . $match[0] . $styleEnd; |
526 | 548 | } |
527 | 549 | } |
| 550 | + |
| 551 | +class RSSUtils { |
| 552 | + |
| 553 | + /** |
| 554 | + * Output an error message, all wraped up nicely. |
| 555 | + * @param String $errorMessageName The system message that this error is |
| 556 | + * @param String|Array $param Error parameter (or parameters) |
| 557 | + * @return String Html that is the error. |
| 558 | + */ |
| 559 | + public static function RSSError( $errorMessageName, $param ) { |
| 560 | + |
| 561 | + // Anything from a parser tag should use Content lang for message, |
| 562 | + // since the cache doesn't vary by user language: do not use wfMsgForContent but wfMsgForContent |
| 563 | + // The ->parse() part makes everything safe from an escaping standpoint. |
| 564 | + |
| 565 | + return Html::rawElement( 'span', array( 'class' => 'error' ), |
| 566 | + "Extension:RSS -- Error: " . wfMessage( $errorMessageName )->inContentLanguage()->params( $param )->parse() |
| 567 | + ); |
| 568 | + |
| 569 | + } |
| 570 | + |
| 571 | +} |
Index: trunk/extensions/RSS/RSS.i18n.php |
— | — | @@ -20,7 +20,8 @@ |
21 | 21 | 'rss-invalid-url' => 'Not a valid URL: $1', |
22 | 22 | 'rss-parse-error' => 'Error parsing XML for RSS', |
23 | 23 | 'rss-ns-permission' => 'RSS is not allowed in this namespace', |
24 | | - 'rss-url-permission' => 'This URL is not allowed to be included', |
| 24 | + 'rss-url-is-not-whitelisted' => '"$1" is not in the whitelist of allowed feeds. {{PLURAL:$3|$2 is the only allowed feed|The allowed feeds are as follows: $2}}.', |
| 25 | + 'rss-empty-whitelist' => '"$1" is not in the whitelist of allowed feeds. There are no allowed feed URLs in the whitelist.', |
25 | 26 | 'rss-item' => '{{$1 | title = {{{title}}} | link = {{{link}}} | date = {{{date}}} | author = {{{author}}} | description = {{{description}}} }}', |
26 | 27 | 'rss-feed' => "<!-- the following are two alternative templates. The first is the basic default template for feeds -->; '''<span class='plainlinks'>[{{{link}}} {{{title}}}]</span>''' |
27 | 28 | : {{{description}}} |
— | — | @@ -33,6 +34,7 @@ |
34 | 35 | */ |
35 | 36 | $messages['qqq'] = array( |
36 | 37 | 'rss-invalid-url' => '$1 is the invalid URL for the RSS feed', |
| 38 | + 'etherpadlite-url-is-not-whitelisted' => "Error if url isn't in list of allowed urls. $1 is name of url specified by user, $2 is a comma separated list of allowed urls, $3 is the number of urls in the allowed list", |
37 | 39 | 'rss-feed' => "; $1 |
38 | 40 | : ''not to be localised'' |
39 | 41 | : The RSS extension substitutes this placeholder with the name of a template page. The content of this template page determines the final layout of the RSS feed on the rendered wiki page. The Extension:RSS currently uses 'MediaWiki:Rss-feed' as default for $1. This means that the content of [[MediaWiki:Rss-feed]] determines how RSS feed items are rendered. |
Index: trunk/extensions/RSS/RSS.php |
— | — | @@ -4,7 +4,7 @@ |
5 | 5 | * |
6 | 6 | * @file |
7 | 7 | * @ingroup Extensions |
8 | | - * @version 1.93 |
| 8 | + * @version 1.94 |
9 | 9 | * @author mutante, Daniel Kinzler, Rdb, Mafs, Thomas Gries, Alxndr, Chris Reigrut, K001 |
10 | 10 | * @author Kellan Elliott-McCrea <kellan@protest.net> -- author of MagpieRSS |
11 | 11 | * @author Jeroen De Dauw |
— | — | @@ -14,6 +14,8 @@ |
15 | 15 | * @link http://www.mediawiki.org/wiki/Extension:RSS Documentation |
16 | 16 | */ |
17 | 17 | |
| 18 | +define( "EXTENSION_RSS_VERSION", "1.94 20120223" ); |
| 19 | + |
18 | 20 | if ( !defined( 'MEDIAWIKI' ) ) { |
19 | 21 | die( "This is not a valid entry point.\n" ); |
20 | 22 | } |
— | — | @@ -26,7 +28,7 @@ |
27 | 29 | 'Rdb', 'Mafs', 'Alxndr', 'Thomas Gries', 'Chris Reigrut', |
28 | 30 | 'K001', 'Jack Phoenix', 'Jeroen De Dauw', 'Mark A. Hershberger' |
29 | 31 | ), |
30 | | - 'version' => '1.93 20120218', |
| 32 | + 'version' => EXTENSION_RSS_VERSION, |
31 | 33 | 'url' => 'https://www.mediawiki.org/wiki/Extension:RSS', |
32 | 34 | 'descriptionmsg' => 'rss-desc', |
33 | 35 | ); |
— | — | @@ -36,12 +38,13 @@ |
37 | 39 | $wgExtensionMessagesFiles['RSS'] = $dir . 'RSS.i18n.php'; |
38 | 40 | $wgAutoloadClasses['RSSHooks'] = $dir . 'RSSHooks.php'; |
39 | 41 | $wgAutoloadClasses['RSSParser'] = $dir . 'RSSParser.php'; |
| 42 | +$wgAutoloadClasses['RSSUtils'] = $dir . 'RSSParser.php'; |
40 | 43 | $wgAutoloadClasses['RSSData'] = $dir . 'RSSData.php'; |
41 | 44 | |
42 | 45 | $wgHooks['ParserFirstCallInit'][] = 'RSSHooks::parserInit'; |
43 | 46 | |
44 | | - // one hour |
45 | | - $wgRSSCacheAge = 3600; |
| 47 | +// one hour |
| 48 | +$wgRSSCacheAge = 3600; |
46 | 49 | |
47 | 50 | // Check cached content, if available, against remote. |
48 | 51 | // $wgRSSCacheCompare should be set to false or a timeout |
— | — | @@ -55,13 +58,26 @@ |
56 | 59 | // null (the default) means the <rss> tag can be used anywhere. |
57 | 60 | $wgRSSNamespaces = null; |
58 | 61 | |
59 | | -// URL whitelist of RSS Feeds: |
60 | | -// if there are items in the array, and the used URL isn't in the array, |
61 | | -// it will not be allowed (originally proposed in bug 27768) |
62 | | -$wgRSSAllowedFeeds = array(); |
| 62 | +// Whitelist of allowed RSS Urls |
| 63 | +// |
| 64 | +// If there are items in the array, and the user supplied URL is not in the array, |
| 65 | +// the url will not be allowed |
| 66 | +// |
| 67 | +// Urls are case-sensitively tested against values in the array. |
| 68 | +// They must exactly match including any trailing "/" character. |
| 69 | +// |
| 70 | +// Warning: Allowing all urls (not setting a whitelist) |
| 71 | +// may be a security concern. |
| 72 | +// |
| 73 | +// an empty or non-existent array means: no whitelist defined |
| 74 | +// this is the default: an empty whitelist. No servers are allowed by default. |
| 75 | +$wgRSSUrlWhitelist = array(); |
63 | 76 | |
| 77 | +// include "*" if you expressly want to allow all urls (you should not do this) |
| 78 | +// $wgRSSUrlWhitelist = array( "*" ); |
| 79 | + |
64 | 80 | // Agent to use for fetching feeds |
65 | | -$wgRSSUserAgent = 'MediaWikiRSS/0.02 (+http://www.mediawiki.org/wiki/Extension:RSS) / MediaWiki RSS extension'; |
| 81 | +$wgRSSUserAgent = "MediaWikiRSS/" . strtok( EXTENSION_RSS_VERSION, " " ) . " (+http://www.mediawiki.org/wiki/Extension:RSS) / MediaWiki RSS extension"; |
66 | 82 | |
67 | 83 | // Proxy server to use for fetching feeds |
68 | 84 | $wgRSSProxy = false; |