r76848 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r76847‎ \| r76848 \| r76849 >
Date:	23:21, 16 November 2010
Author:	mah
Status:	resolved (Comments)
Tags:
Comment:	* Remove references to unused charset handling. * Remove references to unused config variables. * Consolidate renderItem() to a single loop instead of a separate one for highlighting displayFields. * Make sure everything gets htmlspecialchars() treatment. o
Modified paths:	/trunk/extensions/RSS/RSS.php (modified) (history) /trunk/extensions/RSS/RSSParser.php (modified) (history)

Diff [purge]

Index: trunk/extensions/RSS/RSSParser.php
—	—	@@ -1,7 +1,6 @@
2	2	<?php
3	3
4	4	class RSSParser {
5		~~- protected $charset;~~
6	5	protected $maxheads = 32;
7	6	protected $reversed = false;
8	7	protected $highlight = array();
—	—	@@ -35,15 +34,6 @@
36	35	function __construct( $url, $args ) {
37	36	$this->url = $url;
38	37
39		~~- # Get charset from argument array~~
40		~~- # FIXME: not used yet~~
41		~~- if ( isset( $args['charset'] ) ) {~~
42		~~- $this->charset = $args['charset'];~~
43		~~- } else {~~
44		~~- global $wgOutputEncoding;~~
45		~~- $this->charset = $wgOutputEncoding;~~
46		~~- }~~
47		-
48	38	# Get max number of headlines from argument-array
49	39	if ( isset( $args['max'] ) ) {
50	40	$this->maxheads = $args['max'];
—	—	@@ -92,16 +82,11 @@
93	83	*
94	84	* NOTES ON FAILED REQUESTS:
95	85	* If there is an HTTP error while fetching an RSS object, the cached version
96		~~- * will be returned, if it exists (and if $wgRSSCacheFreshOnly is false)~~
	86	+ * will be returned, if it exists.
97	87	*
98	88	* @return boolean Status object
99	89	*/
100	90	function fetch() {
101		~~- global $wgRSSCacheAge, $wgRSSCacheFreshOnly;~~
102		~~- global $wgRSSCacheDirectory, $wgRSSFetchTimeout;~~
103		~~- global $wgRSSOutputEncoding, $wgRSSInputEncoding;~~
104		~~- global $wgRSSDetectEncoding;~~
105		-
106	91	if ( !isset( $this->url ) ) {
107	92	return Status::newFatal( 'rss-fetch-nourl' );
108	93	}
—	—	@@ -256,22 +241,21 @@
257	242	protected function renderItem( $item, $parser, $frame ) {
258	243	$output = "";
259	244	if ( isset( $parser ) && isset( $frame ) ) {
260		~~- $rendered = array();~~
261		~~- foreach ( $this->displayFields as $field ) {~~
262		~~- if ( isset($item[$field] ) ) {~~
263		~~- $item[$field] = $this->highlightTerms( $item[$field] );~~
264		~~- }~~
265		~~- }~~
266		-
	245	+ $displayFields = array_flip( $this->displayFields );
267	246	$rendered = $this->itemTemplate;
	247	+
268	248	// $info will only be an XML element name, so we're safe
269	249	// using it. $item[$info] is handled by the XML parser --
270	250	// and that means bad RSS with stuff like
271	251	// <description><script>alert("hi")</script></description> will find its
272	252	// rogue <script> tags neutered.
273	253	foreach ( array_keys( $item ) as $info ) {
274		~~- $rendered = str_replace( '{{{' . $info . '}}}', wfEscapeWikiText( $item[$info] ),~~
275		~~- $rendered );~~
	254	+ if ( isset( $displayFields[ $info ] ) ) {
	255	+ $txt = $this->highlightTerms( htmlspecialchars( $item[ $info ] ) );
	256	+ } else {
	257	+ $txt = htmlspecialchars( $item[ $info ] );
	258	+ }
	259	+ $rendered = str_replace( '{{{' . $info . '}}}', $txt, $rendered );
276	260	}
277	261	$output .= $parser->recursiveTagParse( $rendered, $frame );
278	262	}
Index: trunk/extensions/RSS/RSS.php
—	—	@@ -50,14 +50,10 @@
51	51	$wgHooks['ParserFirstCallInit'][] = 'RSSHooks::parserInit';
52	52
53	53	$wgRSSCacheAge = 3600; // one hour
54		~~-$wgRSSCacheFreshOnly = false;~~
55	54	$wgRSSCacheCompare = false; // Check cached content, if available, against remote.
56	55	// $wgRSSCacheCompare should be set to false or a timeout
57	56	// (less than $wgRSSCacheAge) after which a comparison will
58	57	// be made.
59		~~-$wgRSSOutputEncoding = 'ISO-8859-1';~~
60		~~-$wgRSSInputEncoding = null;~~
61		~~-$wgRSSDetectEncoding = true;~~
62	58	$wgRSSFetchTimeout = 5; // 5 second timeout
63	59
64	60	// Agent to use for fetching feeds

Follow-up revisions

Revision	Commit summary	Author	Date
r77024	followup r76848 Make sure to use wfEscapeWikiText	mah	19:01, 19 November 2010
r77031	followup r76848 by using wfEscapeWikiText() on all bits except links. Escape...	mah	21:02, 19 November 2010

Comments

#Comment by Tim Starling (talk | contribs) 09:24, 19 November 2010

This introduces an XSS vulnerability. When I told you to use wfEscapeWikiText(), I did actually mean it.

#Comment by MarkAHershberger (talk | contribs) 21:14, 19 November 2010

Sorry about that, see r77031. Since links are so essential to RSS, I hope that using parse_url to match "safe" schemes is valid.

Status & tagging log

00:37, 22 January 2011 😂 (talk | contribs) changed the status of r76848 [removed: new added: resolved]
06:31, 22 November 2010 MarkAHershberger (talk | contribs) changed the status of r76848 [removed: fixme added: new]
21:14, 19 November 2010 MarkAHershberger (talk | contribs) changed the status of r76848 [removed: new added: fixme]
21:03, 19 November 2010 MarkAHershberger (talk | contribs) changed the status of r76848 [removed: fixme added: new]
09:24, 19 November 2010 Tim Starling (talk | contribs) changed the status of r76848 [removed: new added: fixme]