r68811 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r68810‎ \| r68811 \| r68812 >
Date:	03:05, 1 July 2010
Author:	bawolff
Status:	ok (Comments)
Tags:
Comment:	Some security fixes to the DynamicPageList (third party) extension I think there are other issues with this extension, but this addresses some of the most obvious XSS issues. I do not think the way this extension plays with $wgRawHtml is a good idea.
Modified paths:	/trunk/extensions/DynamicPageList/DPLMain.php (modified) (history)

Diff [purge]

Index: trunk/extensions/DynamicPageList/DPLMain.php
—	—	@@ -767,11 +767,11 @@
768	768	break;
769	769
770	770	case 'rowcolformat':
771		~~- $sRowColFormat = $sArg;~~
	771	+ $sRowColFormat = self::killHtmlTags( $sArg );
772	772	break;
773	773
774	774	case 'userdateformat':
775		~~- $sUserDateFormat = $sArg;~~
	775	+ $sUserDateFormat = self::killHtmlTags( $sArg );
776	776	break;
777	777
778	778	case 'escapelinks':
—	—	@@ -783,13 +783,14 @@
784	784	break;
785	785
786	786	case 'inlinetext':
787		~~- $sInlTxt = $sArg;~~
	787	+ $sInlTxt = self::killHtmlTags( $sArg );
788	788	break;
789	789
790	790	case 'format':
791	791	case 'listseparators':
792	792	// parsing of wikitext will happen at the end of the output phase
793	793	// we replace '\n' in the input by linefeed because wiki syntax depends on linefeeds
	794	+ $sArg = self::killHtmlTags( $sArg );
794	795	$sArg = str_replace( '\n', "\n", $sArg );
795	796	$sArg = str_replace( "¶", "\n", $sArg ); // the paragraph delimiter is utf8-escaped
796	797	$aListSeparators = explode( ',', $sArg, 4 );
—	—	@@ -873,25 +874,28 @@
874	875	case 'replaceintitle':
875	876	// we offer a possibility to replace some part of the title
876	877	$aReplaceInTitle = explode( ',', $sArg, 2 );
	878	+ if (isset($aReplaceInTitle[1])) {
	879	+ $aReplaceInTitle[1] = self::killHtmlTags( $aReplaceInTitle[1] );
	880	+ }
877	881	break;
878	882
879	883	case 'resultsheader':
880		~~- $sResultsHeader = $sArg;~~
	884	+ $sResultsHeader = self::killHtmlTags( $sArg );
881	885	break;
882	886	case 'resultsfooter':
883		~~- $sResultsFooter = $sArg;~~
	887	+ $sResultsFooter = self::killHtmlTags( $sArg );
884	888	break;
885	889	case 'noresultsheader':
886		~~- $sNoResultsHeader = $sArg;~~
	890	+ $sNoResultsHeader = self::killHtmlTags( $sArg );
887	891	break;
888	892	case 'noresultsfooter':
889		~~- $sNoResultsFooter = $sArg;~~
	893	+ $sNoResultsFooter = self::killHtmlTags( $sArg );
890	894	break;
891	895	case 'oneresultheader':
892		~~- $sOneResultHeader = $sArg;~~
	896	+ $sOneResultHeader = self::killHtmlTags( $sArg );
893	897	break;
894	898	case 'oneresultfooter':
895		~~- $sOneResultFooter = $sArg;~~
	899	+ $sOneResultFooter = self::killHtmlTags( $sArg );
896	900	break;
897	901
898	902	/**
—	—	@@ -3539,4 +3543,26 @@
3540	3544	$wgExtVariables->vardefine( $dummy, 'DPL_totalPages', $totalPages );
3541	3545	$wgExtVariables->vardefine( $dummy, 'DPL_pages', $pages );
3542	3546	}
	3547	+ /**
	3548	+ * turn <html> -> <html>
	3549	+ * needed because this extension uses weird hacks with $wgRawHtml
	3550	+ * Even with this, I still would not have too much confidence in this extension.
	3551	+ *
	3552	+ * this will break things in a limited way if someone enabled $wgRawHtml for the site
	3553	+ * but I think its worth it.
	3554	+ *
	3555	+ * note, $text should be from user. it should never contain <html> in it unless someone is
	3556	+ * being naughty.
	3557	+ */
	3558	+ private static function killHtmlTags( $text ) {
	3559	+ //escape <html>
	3560	+ $text = preg_replace('/<([^>][hH][tT][mM][lL][^>])>/', '<$1>', $text);
	3561	+ //if we still have <html>, someone is doing something weird, like double nesting to get
	3562	+ //around the escaping - just escape it all. <html> should never be here unless someone
	3563	+ // is being naughty, so it shouldn't cause problems.
	3564	+ if (preg_match('/<[^>][hH][tT][mM][lL][^>]>/', $text)) {
	3565	+ $text = htmlspecialchars($text);
	3566	+ }
	3567	+ return $text;
	3568	+ }
3543	3569	}

Follow-up revisions

Revision	Commit summary	Author	Date
r68812	(Bug 22675) Fix DynamicPageList (3rd party) to work with mediawiki post r61913...	bawolff	03:44, 1 July 2010

Comments

#Comment by Nikerabbit (talk | contribs) 05:43, 1 July 2010

How about using the case-insensitive flag or modifier for the regexp?

#Comment by Bawolff (talk | contribs) 18:07, 1 July 2010

That would also work fine. Considering how short the regex is I don't think it would make much difference in readability. I sometimes find doing the whole [aA] thing is a good reminder to myself that it matches both lowercase and uppercase, where the case insensitivity flag sometimes is easier to miss, but thats just me.

Status & tagging log

03:16, 30 January 2011 MarkAHershberger (talk | contribs) changed the tags for r68811 [removed: roan]
03:16, 30 January 2011 MarkAHershberger (talk | contribs) changed the status of r68811 [removed: new added: ok]
01:09, 26 January 2011 MarkAHershberger (talk | contribs) changed the tags for r68811 [added: roan]