r24105 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r24104‎ \| r24105 \| r24106 >
Date:	04:57, 15 July 2007
Author:	amidaniel
Status:	old
Tags:
Comment:	Security fix: Previously it was possible to include unprotected and even content pages in site and user jss/css pages via action=raw. Now when requesting a page as text/javascript or text/css, if it should not contain such content, it simply returns '/* EMPTY */'.
Modified paths:	/trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/includes/RawPage.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/RawPage.php
—	—	@@ -145,7 +145,14 @@
146	146	}
147	147
148	148	function getRawText() {
149		~~- global $wgUser, $wgOut, $wgRequest;~~
	149	+ global $wgUser, $wgOut, $wgRequest, $wgJsMimeType;
	150	+
	151	+ /* Disable retrieving content pages as raw js/css */
	152	+ $dangerousTypes = array( $wgJsMimeType, 'text/css' );
	153	+ if ( in_array( $this->mContentType, $dangerousTypes ) &&
	154	+ !($this->mTitle->isCssOrJsPage() \|\| $this->mTitle->isCssJsSubpage() ) )
	155	+ return '/* EMPTY */';
	156	+
150	157	if($this->mGen) {
151	158	$sk = $wgUser->getSkin();
152	159	$sk->initPage($wgOut);
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -293,6 +293,8 @@
294	294	* Don't show non-functional toolbar buttons on Opera 7 anymore
295	295	* (bug 9151) Fix relative subpage links with section fragments
296	296	* (bug 10560) Adding a space between category letter heading and "continues"
	297	+* Security fix: Disable retrieving pages as raw js/css that should not contain
	298	+ such content.
297	299
298	300	== API changes since 1.10 ==
299	301

Revision	Commit summary	Author	Date
r24202	Revert r24105, r24106, r24107 'security fix' forbidden text/css and text/java...	brion	15:50, 17 July 2007
r24215	Merged revisions 24095-24212 via svnmerge from...	david	21:19, 17 July 2007

15:20, 12 September 2011 Meno25 (talk | contribs) changed the status of r24105 [removed: ok added: old]