r55180 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r55179‎ \| r55180 \| r55181 >
Date:	13:29, 17 August 2009
Author:	tstarling
Status:	ok
Tags:
Comment:	Merged r55178 (second attempt). Removed live patch to make secure.wikimedia.org work, it should work now with trunk.
Modified paths:	/branches/wmf-deployment (modified) (history) /branches/wmf-deployment/CREDITS (modified) (history) /branches/wmf-deployment/RELEASE-NOTES (modified) (history) /branches/wmf-deployment/api.php (modified) (history) /branches/wmf-deployment/extensions (modified) (history) /branches/wmf-deployment/extensions/CentralAuth (modified) (history) /branches/wmf-deployment/extensions/CodeReview (modified) (history) /branches/wmf-deployment/extensions/HoneypotIntegration (modified) (history) /branches/wmf-deployment/extensions/MWSearch (modified) (history) /branches/wmf-deployment/extensions/SecurePoll (modified) (history) /branches/wmf-deployment/extensions/SecurePoll/cli/wm-scripts (modified) (history) /branches/wmf-deployment/extensions/TitleKey (modified) (history) /branches/wmf-deployment/includes/ConfEditor.php (modified) (history) /branches/wmf-deployment/includes/RawPage.php (modified) (history) /branches/wmf-deployment/includes/Skin.php (modified) (history) /branches/wmf-deployment/includes/WebRequest.php (modified) (history) /branches/wmf-deployment/includes/api/ApiQueryCategoryMembers.php (modified) (history) /branches/wmf-deployment/includes/specials (modified) (history) /branches/wmf-deployment/includes/specials/SpecialSearch.php (modified) (history) /branches/wmf-deployment/includes/specials/SpecialUserrights.php (modified) (history) /branches/wmf-deployment/languages/messages/MessagesCkb_arab.php (modified) (history) /branches/wmf-deployment/languages/messages/MessagesPnb.php (modified) (history) /branches/wmf-deployment/skins/Vector.php (modified) (history) /branches/wmf-deployment/skins/monobook (modified) (history) /branches/wmf-deployment/skins/vector (modified) (history)

Diff [purge]

Index: branches/wmf-deployment/api.php
—	—	@@ -49,25 +49,10 @@
50	50	// which will end up triggering HTML detection and execution, hence
51	51	// XSS injection and all that entails.
52	52	//
53		~~-// Ensure that all access is through the canonical entry point...~~
54		~~-//~~
55		~~-if( isset( $_SERVER['SCRIPT_NAME'] ) ) {~~
56		~~- $url = $_SERVER['SCRIPT_NAME'];~~
57		~~-} else {~~
58		~~- $url = $_SERVER['URL'];~~
59		-}
60		-
61		~~-// Live-hack to let api.php work with secure.wikimedia.org~~
62		~~-// Andrew 2009-06-17~~
63		~~-if (substr( $wgServer, 0, 5 ) == 'https') {~~
64		~~- $url = "/$site/$lang$url";~~
65		-}
66		~~-// End live hack~~
67		-
68		~~-if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {~~
	53	+if( $wgRequest->isPathInfoBad() ) {
69	54	wfHttpError( 403, 'Forbidden',
70		~~- 'API must be accessed through the primary script entry point. Expected '.~~
71		~~- "$wgScriptPath/api$wgScriptExtension but got $url" );~~
	55	+ 'Invalid file extension found in PATH_INFO. ' .
	56	+ 'The API must be accessed through the primary script entry point.' );
72	57	return;
73	58	}
74	59
Property changes on: branches/wmf-deployment/languages/messages/MessagesCkb_arab.php
___________________________________________________________________
Modified: svn:mergeinfo
75	60	Merged /trunk/phase3/languages/messages/MessagesCkb_arab.php:r55178
Property changes on: branches/wmf-deployment/languages/messages/MessagesPnb.php
___________________________________________________________________
Modified: svn:mergeinfo
76	61	Merged /trunk/phase3/languages/messages/MessagesPnb.php:r55178
Index: branches/wmf-deployment/RELEASE-NOTES
—	—	@@ -205,6 +205,8 @@
206	206	* Log in and log out links no longer return to page view when clicked from
207	207	history view, edit page, or something similar
208	208	* (bug 18708) CSS plainlinks class now available to all skins
	209	+* Fixed XSS vulnerability for Internet Explorer clients (only pre-release
	210	+ versions of MediaWiki were affected).
209	211
210	212	== API changes in 1.16 ==
211	213
Property changes on: branches/wmf-deployment/skins/Vector.php
___________________________________________________________________
Modified: svn:mergeinfo
212	214	Merged /trunk/phase3/skins/Vector.php:r55178
Property changes on: branches/wmf-deployment/skins/vector
___________________________________________________________________
Modified: svn:mergeinfo
213	215	Merged /trunk/phase3/skins/vector:r55178
Property changes on: branches/wmf-deployment/skins/monobook
___________________________________________________________________
Modified: svn:mergeinfo
214	216	Merged /trunk/phase3/skins/monobook:r55178
Index: branches/wmf-deployment/CREDITS
—	—	@@ -63,7 +63,6 @@
64	64	* Brent G
65	65	* Brianna Laugher
66	66	* Carlin
67		~~-* Chris Wrinn~~
68	67	* church of emacs
69	68	* Daniel Arnold
70	69	* Danny B.
Property changes on: branches/wmf-deployment/extensions/CodeReview
___________________________________________________________________
Modified: svn:mergeinfo
71	70	Merged /trunk/phase3/extensions/CodeReview:r55178
Property changes on: branches/wmf-deployment/extensions/HoneypotIntegration
___________________________________________________________________
Modified: svn:mergeinfo
72	71	Merged /trunk/phase3/extensions/HoneypotIntegration:r55178
Property changes on: branches/wmf-deployment/extensions/CentralAuth
___________________________________________________________________
Modified: svn:mergeinfo
73	72	Merged /trunk/phase3/extensions/CentralAuth:r55178
Property changes on: branches/wmf-deployment/extensions/TitleKey
___________________________________________________________________
Modified: svn:mergeinfo
74	73	Merged /trunk/phase3/extensions/TitleKey:r55178
Property changes on: branches/wmf-deployment/extensions/MWSearch
___________________________________________________________________
Modified: svn:mergeinfo
75	74	Merged /trunk/phase3/extensions/MWSearch:r55178
Property changes on: branches/wmf-deployment/extensions/SecurePoll/cli/wm-scripts
___________________________________________________________________
Modified: svn:mergeinfo
76	75	Merged /trunk/phase3/extensions/SecurePoll/cli/wm-scripts:r55178
Property changes on: branches/wmf-deployment/extensions/SecurePoll
___________________________________________________________________
Modified: svn:mergeinfo
77	76	Merged /trunk/phase3/extensions/SecurePoll:r55178
Property changes on: branches/wmf-deployment/extensions
___________________________________________________________________
Modified: svn:mergeinfo
78	77	Merged /trunk/phase3/extensions:r55178
Property changes on: branches/wmf-deployment/includes/specials/SpecialSearch.php
___________________________________________________________________
Modified: svn:mergeinfo
79	78	Merged /trunk/phase3/includes/specials/SpecialSearch.php:r55178
Property changes on: branches/wmf-deployment/includes/specials/SpecialUserrights.php
___________________________________________________________________
Modified: svn:mergeinfo
80	79	Merged /trunk/phase3/includes/specials/SpecialUserrights.php:r55178
Property changes on: branches/wmf-deployment/includes/specials
___________________________________________________________________
Modified: svn:mergeinfo
81	80	Merged /trunk/phase3/includes/specials:r55178
Property changes on: branches/wmf-deployment/includes/Skin.php
___________________________________________________________________
Modified: svn:mergeinfo
82	81	Merged /trunk/phase3/includes/Skin.php:r55178
Index: branches/wmf-deployment/includes/WebRequest.php
—	—	@@ -662,6 +662,33 @@
663	663	function setSessionData( $key, $data ) {
664	664	$_SESSION[$key] = $data;
665	665	}
	666	+
	667	+ /**
	668	+ * Returns true if the PATH_INFO ends with an extension other than a script
	669	+ * extension. This could confuse IE for scripts that send arbitrary data which
	670	+ * is not HTML but may be detected as such.
	671	+ *
	672	+ * Various past attempts to use the URL to make this check have generally
	673	+ * run up against the fact that CGI does not provide a standard method to
	674	+ * determine the URL. PATH_INFO may be mangled (e.g. if cgi.fix_pathinfo=0),
	675	+ * but only by prefixing it with the script name and maybe some other stuff,
	676	+ * the extension is not mangled. So this should be a reasonably portable
	677	+ * way to perform this security check.
	678	+ */
	679	+ public function isPathInfoBad() {
	680	+ global $wgScriptExtension;
	681	+
	682	+ if ( !isset( $_SERVER['PATH_INFO'] ) ) {
	683	+ return false;
	684	+ }
	685	+ $pi = $_SERVER['PATH_INFO'];
	686	+ $dotPos = strrpos( $pi, '.' );
	687	+ if ( $dotPos === false ) {
	688	+ return false;
	689	+ }
	690	+ $ext = substr( $pi, $dotPos );
	691	+ return !in_array( $ext, array( $wgScriptExtension, '.php', '.php5' ) );
	692	+ }
666	693	}
667	694
668	695	/**
—	—	@@ -730,4 +757,8 @@
731	758	$this->notImplemented( __METHOD__ );
732	759	}
733	760
	761	+ public function isPathInfoBad() {
	762	+ return false;
	763	+ }
	764	+
734	765	}
Property changes on: branches/wmf-deployment/includes/ConfEditor.php
___________________________________________________________________
Modified: svn:mergeinfo
735	766	Merged /trunk/phase3/includes/ConfEditor.php:r55178
Property changes on: branches/wmf-deployment/includes/api/ApiQueryCategoryMembers.php
___________________________________________________________________
Modified: svn:mergeinfo
736	767	Merged /trunk/phase3/includes/api/ApiQueryCategoryMembers.php:r55178
Index: branches/wmf-deployment/includes/RawPage.php
—	—	@@ -109,34 +109,9 @@
110	110	}
111	111
112	112	function view() {
113		~~- global $wgOut, $wgScript;~~
	113	+ global $wgOut, $wgScript, $wgRequest;
114	114
115		~~- if( isset( $_SERVER['SCRIPT_URL'] ) ) {~~
116		~~- # Normally we use PHP_SELF to get the URL to the script~~
117		~~- # as it was called, minus the query string.~~
118		~~- #~~
119		~~- # Some sites use Apache rewrite rules to handle subdomains,~~
120		~~- # and have PHP set up in a weird way that causes PHP_SELF~~
121		~~- # to contain the rewritten URL instead of the one that the~~
122		~~- # outside world sees.~~
123		~~- #~~
124		~~- # If in this mode, use SCRIPT_URL instead, which mod_rewrite~~
125		~~- # provides containing the "before" URL.~~
126		~~- $url = $_SERVER['SCRIPT_URL'];~~
127		~~- } else {~~
128		~~- $url = $_SERVER['PHP_SELF'];~~
129		~~- }~~
130		-
131		~~- if( $url == '' ) {~~
132		~~- # This will make the next check fail with a confusing error~~
133		~~- # message, so we should mention it separately.~~
134		~~- wfHttpError( 500, 'Internal Server Error',~~
135		~~- "\$_SERVER['PHP_SELF'] is not set. Perhaps you're using CGI" .~~
136		~~- " and haven't set cgi.fix_pathinfo = 1 in php.ini?" );~~
137		~~- return;~~
138		~~- }~~
139		-
140		~~- if( strcmp( $wgScript, $url ) ) {~~
	115	+ if( $wgRequest->isPathInfoBad() ) {
141	116	# Internet Explorer will ignore the Content-Type header if it
142	117	# thinks it sees a file extension it recognizes. Make sure that
143	118	# all raw requests are done through the script node, which will
—	—	@@ -150,6 +125,7 @@
151	126	#
152	127	# Just return a 403 Forbidden and get it over with.
153	128	wfHttpError( 403, 'Forbidden',
	129	+ 'Invalid file extension found in PATH_INFO. ' .
154	130	'Raw pages must be accessed through the primary script entry point.' );
155	131	return;
156	132	}
Property changes on: branches/wmf-deployment
___________________________________________________________________
Modified: svn:mergeinfo
157	133	Merged /trunk/phase3:r55178

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r55178	* Fixed XSS vulnerability introduced by r49833. Only pre-release versions of ...	tstarling	13:23, 17 August 2009

Status & tagging log

00:32, 15 September 2009 Brion VIBBER (talk | contribs) changed the status of r55180 [removed: new added: ok]