r77423 MediaWiki - Code Review archive

Repository:MediaWiki
Revision:r77422‎ | r77423 | r77424 >
Date:16:34, 29 November 2010
Author:platonides
Status:ok
Tags:
Comment:
Fix potential html injection when the database server isn't available (bug 26164).

Wikis which set $wgServer in their LocalSettings or are in a virtual
host would never be vulnerable.
For sites which show the wiki in the default host, it will depend on how
forgiving is their webserver and php stack for that garbled input, although
some kind of foolable proxy —moreover wrongly caching errors (or the default
output buffering is disabled and something incorrectly sent a previous text)—
would also need to be present in order to make that useful for a
potential attacker.
Modified paths:
  • /trunk/phase3/RELEASE-NOTES (modified) (history)
  • /trunk/phase3/includes/Exception.php (modified) (history)
  • /trunk/phase3/includes/db/Database.php (modified) (history)

Diff [purge]

Index: trunk/phase3/includes/db/Database.php
@@ -2805,7 +2805,7 @@
28062806 }
28072807
28082808 function searchForm() {
2809 - global $wgSitename, $wgServer, $wgLang, $wgInputEncoding;
 2809+ global $wgSitename, $wgServer, $wgLang;
28102810
28112811 $usegoogle = "You can try searching via Google in the meantime.";
28122812 $outofdate = "Note that their indexes of our content may be out of date.";
@@ -2819,20 +2819,23 @@
28202820
28212821 $search = htmlspecialchars( @$_REQUEST['search'] );
28222822
 2823+ $server = htmlspecialchars( $wgServer );
 2824+ $sitename = htmlspecialchars( $wgSitename );
 2825+
28232826 $trygoogle = <<<EOT
28242827 <div style="margin: 1.5em">$usegoogle<br />
28252828 <small>$outofdate</small></div>
28262829 <!-- SiteSearch Google -->
28272830 <form method="get" action="http://www.google.com/search" id="googlesearch">
2828 - <input type="hidden" name="domains" value="$wgServer" />
 2831+ <input type="hidden" name="domains" value="$server" />
28292832 <input type="hidden" name="num" value="50" />
2830 - <input type="hidden" name="ie" value="$wgInputEncoding" />
2831 - <input type="hidden" name="oe" value="$wgInputEncoding" />
 2833+ <input type="hidden" name="ie" value="UTF-8" />
 2834+ <input type="hidden" name="oe" value="UTF-8" />
28322835
28332836 <input type="text" name="q" size="31" maxlength="255" value="$search" />
28342837 <input type="submit" name="btnG" value="$googlesearch" />
28352838 <div>
2836 - <input type="radio" name="sitesearch" id="gwiki" value="$wgServer" checked="checked" /><label for="gwiki">$wgSitename</label>
 2839+ <input type="radio" name="sitesearch" id="gwiki" value="$server" checked="checked" /><label for="gwiki">$sitename</label>
28372840 <input type="radio" name="sitesearch" id="gWWW" value="" /><label for="gWWW">WWW</label>
28382841 </div>
28392842 </form>
Index: trunk/phase3/includes/Exception.php
@@ -236,13 +236,15 @@
237237 header( 'Pragma: nocache' );
238238 }
239239
240 - $title = $this->getPageTitle();
 240+ $logo = htmlspecialchars( $wgLogo, ENT_QUOTES );
 241+ $title = htmlspecialchars( $this->getPageTitle() );
 242+
241243 return "<html>
242244 <head>
243245 <title>$title</title>
244246 </head>
245247 <body>
246 - <h1><img src='$wgLogo' style='float:left;margin-right:1em' alt=''/>$title</h1>
 248+ <h1><img src='$logo' style='float:left;margin-right:1em' alt=''/>$title</h1>
247249 ";
248250 }
249251
Index: trunk/phase3/RELEASE-NOTES
@@ -441,6 +441,7 @@
442442 * (bug 25451) Improved datetime representation in 32 bit php >= 5.2.
443443 * Show "skin does not exist error" only when the skin is inputted in the wrong
444444 case.
 445+* (bug 26164) Potential html injection when the database server isn't available
445446
446447 === API changes in 1.17 ===
447448 * (bug 22738) Allow filtering by action type on query=logevent.

Status & tagging log