[MediaWiki-commits] [Gerrit] SECURITY: Disallow extracts for non-wikitext for now. - change (mediawiki...TextExtracts)

Mon, 03 Aug 2015 17:09:06 -0700 

Mattflaschen has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/229039

Change subject: SECURITY: Disallow extracts for non-wikitext for now.
......................................................................

SECURITY: Disallow extracts for non-wikitext for now.

Note that the sensitive information is still in the TextExtracts
memcached, so this requires security review (and either eviction
or a cache key change) before enabling other content models.

Bug: T107170
Change-Id: I57642e84db39d585c5b04453f86102b10fb69cdf
(cherry picked from commit f5c114c571e05f0b9603197af1aa0080326d8dd3)
---
M includes/ApiQueryExtracts.php
1 file changed, 13 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/TextExtracts 
refs/changes/39/229039/1

diff --git a/includes/ApiQueryExtracts.php b/includes/ApiQueryExtracts.php
index 97c560f..8e1d100 100644
--- a/includes/ApiQueryExtracts.php
+++ b/includes/ApiQueryExtracts.php
@@ -43,6 +43,13 @@
         */
        private $config;
 
+       // TODO: Allow extensions to hook into this to opt-in.
+       // This is partly for security reasons; see T107170.
+       /**
+        * @var array
+        */
+       private $supportedContentModels  = array( 'wikitext' );
+
        public function __construct( $query, $moduleName, Config $conf ) {
                parent::__construct( $query, $moduleName, 'ex' );
                $this->config = $conf;
@@ -105,6 +112,12 @@
         * @return string
         */
        private function getExtract( Title $title ) {
+               $contentModel = $title->getContentModel();
+               if ( !in_array( $contentModel, $this->supportedContentModels, 
true ) ) {
+                       $this->setWarning( "{$title->getPrefixedDBkey()} has 
content model '$contentModel', which is not supported; returning an empty 
extract." );
+                       return '';
+               }
+
                $page = WikiPage::factory( $title );
 
                $introOnly = $this->params['intro'];

-- 
To view, visit https://gerrit.wikimedia.org/r/229039
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I57642e84db39d585c5b04453f86102b10fb69cdf
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/TextExtracts
Gerrit-Branch: master
Gerrit-Owner: Mattflaschen <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to