[MediaWiki-commits] [Gerrit] SECURITY: Disallow extracts for non-wikitext for now. - change (mediawiki...TextExtracts)

Mon, 03 Aug 2015 17:46:17 -0700 

Mattflaschen has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/229055

Change subject: SECURITY: Disallow extracts for non-wikitext for now.
......................................................................

SECURITY: Disallow extracts for non-wikitext for now.

Note that the sensitive information is still in the TextExtracts
memcached, so this requires security review (and either eviction
or a cache key change) before enabling other content models.

Bug: T107170
Change-Id: I57642e84db39d585c5b04453f86102b10fb69cdf
(cherry picked from commit 63b358fca2644cd9731e741898d14ef288f12298)
---
M ApiQueryExtracts.php
1 file changed, 13 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/TextExtracts 
refs/changes/55/229055/1

diff --git a/ApiQueryExtracts.php b/ApiQueryExtracts.php
index 7178bdc..2f5160e 100644
--- a/ApiQueryExtracts.php
+++ b/ApiQueryExtracts.php
@@ -23,6 +23,13 @@
        private $parserOptions;
        private $params;
 
+       // TODO: Allow extensions to hook into this to opt-in.
+       // This is partly for security reasons; see T107170.
+       /**
+        * @var array
+        */
+       private $supportedContentModels  = array( 'wikitext' );
+
        public function __construct( $query, $moduleName ) {
                parent::__construct( $query, $moduleName, 'ex' );
        }
@@ -121,6 +128,12 @@
         */
        private function getExtract( Title $title ) {
                wfProfileIn( __METHOD__ );
+               $contentModel = $title->getContentModel();
+               if ( !in_array( $contentModel, $this->supportedContentModels, 
true ) ) {
+                       $this->setWarning( "{$title->getPrefixedDBkey()} has 
content model '$contentModel', which is not supported; returning an empty 
extract." );
+                       return '';
+               }
+
                $page = WikiPage::factory( $title );
 
                $introOnly = $this->params['intro'];

-- 
To view, visit https://gerrit.wikimedia.org/r/229055
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I57642e84db39d585c5b04453f86102b10fb69cdf
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/TextExtracts
Gerrit-Branch: REL1_23
Gerrit-Owner: Mattflaschen <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to