Brian Wolff has uploaded a new change for review.
https://gerrit.wikimedia.org/r/267224
Change subject: Require strip marker names to not have & ' " <space> < or > in
them
......................................................................
Require strip marker names to not have & ' " <space> < or > in them
This is a little far fetched, but meant as a hardening step. No
valid strip marker name should have any of those things in them.
If a malicious user managed to somehow control the strip marker name,
he could make a strip marker that "spanned" different html contexts.
Note: I've checked carefully - its impossible for a user to control
the strip marker name. This is just a hardening step against any
future features.
For example, if someone could make a strip marker using the marker
name "a','b", then they could create an xss by feeding
"\x7UNIQfa+QINU\x7f" to charinsert, which will split on + sign,
and create output like
<a onclick="mw.toolbar.insertTags('\x7FUNIQa','bQIN\X7f...
It just seems safer to not allow any of the special characters in
strip marker names - especially because there is no need to ever
user them, and to my knowledge there is no example of anyone ever
actually using such a special character in the marker name.
and not recognize either part as a strip marker.
Change-Id: I798d31aff4e48b4c6da886530c15867226c953d2
---
M includes/parser/StripState.php
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/24/267224/1
diff --git a/includes/parser/StripState.php b/includes/parser/StripState.php
index b11dc8c..ac763fc 100644
--- a/includes/parser/StripState.php
+++ b/includes/parser/StripState.php
@@ -50,7 +50,7 @@
'nowiki' => array(),
'general' => array()
);
- $this->regex = '/' . Parser::MARKER_PREFIX . "([^\x7f]+)" .
Parser::MARKER_SUFFIX . '/';
+ $this->regex = '/' . Parser::MARKER_PREFIX . "([^\x7f
<>&'\"]+)" . Parser::MARKER_SUFFIX . '/';
$this->circularRefGuard = array();
}
--
To view, visit https://gerrit.wikimedia.org/r/267224
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I798d31aff4e48b4c6da886530c15867226c953d2
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Brian Wolff <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
