Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F5529220
T155277.patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
Bawolff
Feb 7 2017, 10:11 AM
2017-02-07 10:11:25 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T155277.patch
View Options
From dd6c6d0148253e9b8e2a9501e1af4872ae386047 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Mon, 6 Feb 2017 05:46:13 +0000
Subject: [PATCH] SECURITY: [XSS] Ensure portal url parameter is a valid title.
TitleValue is not supposed to be used on untrusted input. This
could lead to XSS on raw html wikis via a url like:
?portal=ns:0}}<html><script>alert(1)</script></html>
Bug: T155277
---
includes/PortalSpecialPage.php | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/includes/PortalSpecialPage.php b/includes/PortalSpecialPage.php
index 3e2f9d1..b68c30d 100644
--- a/includes/PortalSpecialPage.php
+++ b/includes/PortalSpecialPage.php
@@ -93,10 +93,13 @@ class PortalSpecialPage extends UnlistedSpecialPage {
throw new MWException( 'bad function name #2 in portal parameter' );
}
}
- $tv = new TitleValue( NS_MODULE, $portal );
- $info = "Module:{$tv->getText()}|$func" . ( $func2 ? "|$func2" : '' );
+ $title = Title::makeTitleSafe( NS_MODULE, $portal );
+ if ( !$title ) {
+ throw new MWException( "Invalid portal module specified - $portal" );
+ }
+ $info = "Module:{$title->getText()}|$func" . ( $func2 ? "|$func2" : '' );
$out->setHTMLTitle( $info );
- $module = $tv->getDBkey();
+ $module = $title->getDBkey();
}
// Zero administrators can use 'portal' parameter to see what another user would see
$impersonate = $req->getVal( 'impersonate' );
--
1.9.5 (Apple Git-50.3)
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
4344668
Default Alt Text
T155277.patch (1 KB)
Attached To
Mode
T155277: XSS in ZeroPortal against users with zero-edit rights
Attached
Detach File
Event Timeline
Log In to Comment