Chad has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/333316 )
Change subject: SECURITY: Disallow user CSS/JS when centralauthtoken is in use ...................................................................... SECURITY: Disallow user CSS/JS when centralauthtoken is in use This prevents an attacker from putting something bad in their User:Me/apioutput.js or User:Me/apioutput.css and then using centralauthtoken to cause it to be loaded for some other user. Bug: T144573 Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7 --- M includes/session/CentralAuthTokenSessionProvider.php 1 file changed, 18 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/CentralAuth refs/changes/16/333316/1 diff --git a/includes/session/CentralAuthTokenSessionProvider.php b/includes/session/CentralAuthTokenSessionProvider.php index 25296e5..f12724b 100644 --- a/includes/session/CentralAuthTokenSessionProvider.php +++ b/includes/session/CentralAuthTokenSessionProvider.php @@ -20,6 +20,7 @@ parent::__construct(); $wgHooks['APIGetAllowedParams'][] = $this; + $wgHooks['BeforePageDisplay'][] = $this; } /** @@ -221,4 +222,21 @@ return true; } + /** + * Prevent user scripts and styles when centralauthtoken is in use + * @param OutputPage $out + * @return bool + */ + public function onBeforePageDisplay( $out ) { + if ( $out->getRequest()->getSession()->getProvider() instanceof CentralAuthTokenSessionProvider ) { + $out->reduceAllowedModules( + ResourceLoaderModule::TYPE_SCRIPTS, ResourceLoaderModule::ORIGIN_USER_SITEWIDE + ); + $out->reduceAllowedModules( + ResourceLoaderModule::TYPE_STYLES, ResourceLoaderModule::ORIGIN_USER_SITEWIDE + ); + } + return true; + } + } -- To view, visit https://gerrit.wikimedia.org/r/333316 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/CentralAuth Gerrit-Branch: master Gerrit-Owner: Chad <ch...@wikimedia.org> Gerrit-Reviewer: Anomie <bjor...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits