[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Always normalize link url before adding to ParserO...

[jenkins-bot (Code Review)]

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/346855 )

Change subject: SECURITY: Always normalize link url before adding to 
ParserOutput
......................................................................


SECURITY: Always normalize link url before adding to ParserOutput

Move link normalization directly into addExternalLink() method,
since you always need to do it - having it separate is just
inviting people to forget to normalize a link.

Additionally, links weren't properly registered for <gallery>.
This was somewhat unnoticed, as the call to recursiveTagParse()
would register free links, but it wouldn't work for example with
protocol relative links.

Issue originally reported by MZMcBride.

Bug: T48143
Change-Id: I557fb3b433ef9d618097b6ba4eacc6bada250ca2
---
M RELEASE-NOTES-1.27
M includes/parser/Parser.php
M includes/parser/ParserOutput.php
3 files changed, 10 insertions(+), 7 deletions(-)

Approvals:
  Chad: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index ff34d4d..b2ce3a5 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -36,6 +36,8 @@
   declaration.
 * (T161453) SECURITY: LocalisationCache will no longer use the temporary 
directory
   in it's fallback chain when trying to work out where to write the cache.
+* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file 
inclusion
+  syntax's link parameter.
 
 == MediaWiki 1.27.1 ==
 
diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 178d7fd..3adeb6c 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -1538,9 +1538,7 @@
                                true, 'free',
                                $this->getExternalLinkAttribs( $url ) );
                        # Register it in the output object...
-                       # Replace unnecessary URL escape codes with their 
equivalent characters
-                       $pasteurized = self::normalizeLinkUrl( $url );
-                       $this->mOutput->addExternalLink( $pasteurized );
+                       $this->mOutput->addExternalLink( $url );
                }
                return $text . $trail;
        }
@@ -1836,10 +1834,7 @@
                                $this->getExternalLinkAttribs( $url ) ) . 
$dtrail . $trail;
 
                        # Register link in the output object.
-                       # Replace unnecessary URL escape codes with the 
referenced character
-                       # This prevents spammers from hiding links from the 
filters
-                       $pasteurized = self::normalizeLinkUrl( $url );
-                       $this->mOutput->addExternalLink( $pasteurized );
+                       $this->mOutput->addExternalLink( $url );
                }
 
                return $s;
@@ -5445,9 +5440,11 @@
                                                        // check to see if link 
matches an absolute url, if not then it must be a wiki link.
                                                        if ( preg_match( 
"/^($prots)$addr$chars*$/u", $linkValue ) ) {
                                                                $link = 
$linkValue;
+                                                               
$this->mOutput->addExternalLink( $link );
                                                        } else {
                                                                $localLinkTitle 
= Title::newFromText( $linkValue );
                                                                if ( 
$localLinkTitle !== null ) {
+                                                                       
$this->mOutput->addLink( $localLinkTitle );
                                                                        $link = 
$localLinkTitle->getLinkURL();
                                                                }
                                                        }
diff --git a/includes/parser/ParserOutput.php b/includes/parser/ParserOutput.php
index 6c7ad4e..68305c5 100644
--- a/includes/parser/ParserOutput.php
+++ b/includes/parser/ParserOutput.php
@@ -509,6 +509,10 @@
                # We don't register links pointing to our own server, unless... 
:-)
                global $wgServer, $wgRegisterInternalExternals;
 
+               # Replace unnecessary URL escape codes with the referenced 
character
+               # This prevents spammers from hiding links from the filters
+               $url = parser::normalizeLinkUrl( $url );
+
                $registerExternalLink = true;
                if ( !$wgRegisterInternalExternals ) {
                        $registerExternalLink = !self::isLinkInternal( 
$wgServer, $url );

-- 
To view, visit https://gerrit.wikimedia.org/r/346855
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I557fb3b433ef9d618097b6ba4eacc6bada250ca2
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_27
Gerrit-Owner: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: C. Scott Ananian <canan...@wikimedia.org>
Gerrit-Reviewer: Chad <ch...@wikimedia.org>
Gerrit-Reviewer: Jackmcbarn <jackmcb...@gmail.com>
Gerrit-Reviewer: Reedy <re...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits