r77031 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r77030‎ \| r77031 \| r77032 >
Date:	21:02, 19 November 2010
Author:	mah
Status:	resolved (Comments)
Tags:
Comment:	followup r76848 by using wfEscapeWikiText() on all bits except links. Escape links using wfEscapeWikiText() that, after we've parsed them with parse_url(), don't have a scheme in our list of validSchemes.
Modified paths:	/trunk/extensions/RSS/RSSParser.php (modified) (history)

Diff [purge]

Index: trunk/extensions/RSS/RSSParser.php
—	—	@@ -13,6 +13,7 @@
14	14	protected $xml;
15	15	protected $error;
16	16	protected $displayFields = array( 'author', 'title', 'encodedContent', 'description' );
	17	+ protected $validScheme = array( 'http', 'https', 'ftp' );
17	18
18	19	public $client;
19	20
—	—	@@ -241,8 +242,8 @@
242	243	protected function renderItem( $item, $parser, $frame ) {
243	244	$output = "";
244	245	if ( isset( $parser ) && isset( $frame ) ) {
245		~~- $displayFields = array_flip( $this->displayFields );~~
246	246	$rendered = $this->itemTemplate;
	247	+ $validScheme = array_flip( $this->validScheme );
247	248
248	249	// $info will only be an XML element name, so we're safe
249	250	// using it. $item[$info] is handled by the XML parser --
—	—	@@ -250,14 +251,21 @@
251	252	// <description><script>alert("hi")</script></description> will find its
252	253	// rogue <script> tags neutered.
253	254	foreach ( array_keys( $item ) as $info ) {
254		~~- if ( isset( $displayFields[ $info ] ) ) {~~
	255	+ if ( $info != 'link' ) {
255	256	$txt = $this->highlightTerms( wfEscapeWikiText( $item[ $info ] ) );
256	257	} else {
257		~~- $txt = wfEscapeWikiText( $item[ $info ] );~~
	258	+ $url = $item[ $info ];
	259	+ $scheme = parse_url( $url, PHP_URL_SCHEME );
	260	+ if( isset( $validScheme[$scheme] ) ) {
	261	+ $txt = $url;
	262	+ } else {
	263	+ $txt = wfEscapeWikiText( $url );
	264	+ }
258	265	}
259	266	$rendered = str_replace( '{{{' . $info . '}}}', $txt, $rendered );
260	267	}
261		~~- $output .= $parser->recursiveTagParse( $rendered, $frame );~~
	268	+
	269	+ $output = $parser->recursiveTagParse( $rendered, $frame );
262	270	}
263	271	return $output;
264	272	}

Follow-up revisions

Revision	Commit summary	Author	Date
r77128	* Avoid XSS via malicious RSS on wikis with $wgRawHtml = true. Mostly reverts...	tstarling	02:16, 23 November 2010

Past revisions this follows-up on

Revision	Commit summary	Author	Date
r76848	* Remove references to unused charset handling....	mah	23:21, 16 November 2010

Comments

#Comment by Tim Starling (talk | contribs) 01:10, 23 November 2010

That doesn't solve anything.

> var_dump( parse_url( 'http://<html><script>alert("hello")</script></html>' ) )
array(3) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(29) "<html><script>alert("hello")<"
  ["path"]=>
  string(15) "/script></html>"
}

> var_dump( parse_url( 'http://<html><script>alert("hello")</script></html>', PHP_URL_SCHEME ) )
string(4) "http"

How about I just do it myself?

Status & tagging log

23:54, 23 November 2010 Tim Starling (talk | contribs) changed the status of r77031 [removed: new added: resolved]