[MediaWiki-commits] [Gerrit] mediawiki...CentralAuth[REL1_28]: SECURITY: Disallow user CSS/JS when centralauthtoken is in use

Mon, 23 Jan 2017 20:43:41 -0800 

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/333344 )

Change subject: SECURITY: Disallow user CSS/JS when centralauthtoken is in use
......................................................................


SECURITY: Disallow user CSS/JS when centralauthtoken is in use

This prevents an attacker from putting something bad in their
User:Me/apioutput.js or User:Me/apioutput.css and then using
centralauthtoken to cause it to be loaded for some other user.

Bug: T144573
Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7
(cherry picked from commit ff8906162f583da889b04c323730d3c0aef6e2d7)
---
M includes/session/CentralAuthTokenSessionProvider.php
1 file changed, 18 insertions(+), 0 deletions(-)

Approvals:
  Chad: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/session/CentralAuthTokenSessionProvider.php 
b/includes/session/CentralAuthTokenSessionProvider.php
index 161b3de..7662ffe 100644
--- a/includes/session/CentralAuthTokenSessionProvider.php
+++ b/includes/session/CentralAuthTokenSessionProvider.php
@@ -21,6 +21,7 @@
                parent::__construct();
 
                $wgHooks['APIGetAllowedParams'][] = $this;
+               $wgHooks['BeforePageDisplay'][] = $this;
        }
 
        /**
@@ -216,4 +217,21 @@
                return true;
        }
 
+       /**
+        * Prevent user scripts and styles when centralauthtoken is in use
+        * @param OutputPage $out
+        * @return bool
+        */
+       public function onBeforePageDisplay( $out ) {
+               if ( $out->getRequest()->getSession()->getProvider() instanceof 
CentralAuthTokenSessionProvider ) {
+                       $out->reduceAllowedModules(
+                               ResourceLoaderModule::TYPE_SCRIPTS, 
ResourceLoaderModule::ORIGIN_USER_SITEWIDE
+                       );
+                       $out->reduceAllowedModules(
+                               ResourceLoaderModule::TYPE_STYLES, 
ResourceLoaderModule::ORIGIN_USER_SITEWIDE
+                       );
+               }
+               return true;
+       }
+
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/333344
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie0a68b6e71b8e8262539499b31f24a84152b4aa7
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/CentralAuth
Gerrit-Branch: REL1_28
Gerrit-Owner: Paladox <thomasmulhall...@yahoo.com>
Gerrit-Reviewer: Anomie <bjor...@wikimedia.org>
Gerrit-Reviewer: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Jforrester <jforres...@wikimedia.org>
Gerrit-Reviewer: Legoktm <lego...@member.fsf.org>
Gerrit-Reviewer: MarcoAurelio <strig...@gmail.com>
Gerrit-Reviewer: Reedy <re...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to