[MediaWiki-commits] [Gerrit] Disable upload from URL on Special:ImportTranslations by def... - change (mediawiki...Translate)

Fri, 26 Apr 2013 04:41:22 -0700 

Siebrand has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/60983


Change subject: Disable upload from URL on Special:ImportTranslations by default
......................................................................

Disable upload from URL on Special:ImportTranslations by default

In bug 40341, Chris Steipp identified unknown potential attack vectors in
allowing users to upload arbitrary files to MediaWiki. This patch disables
the existing feature by adding global $wgTranslateAllowImportFromUrl. It can
be reenabled by setting $wgTranslateAllowImportFromUrl to true.

Bug: 40341
Change-Id: I01057787abcf9cbcf9796cac7750134858ebff7b
---
M Translate.php
M specials/SpecialImportTranslations.php
2 files changed, 26 insertions(+), 13 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Translate 
refs/changes/83/60983/1

diff --git a/Translate.php b/Translate.php
index 7302f7f..5fb2ce3 100644
--- a/Translate.php
+++ b/Translate.php
@@ -17,7 +17,7 @@
 /**
  * Version number used in extension credits and in other places where needed.
  */
-define( 'TRANSLATE_VERSION', '2013-04-16' );
+define( 'TRANSLATE_VERSION', '2013-04-26' );
 
 /**
  * Extension credits properties.
@@ -608,6 +608,13 @@
  */
 $wgTranslateUseTux = true;
 
+/**
+ * Whether to allow uploading gettext files through URLs on
+ * Special:ImportTranslations. Default is false.
+ * @since 2013-04-26
+ */
+$wgTranslateAllowImportFromUrl = false;
+
 # </source>
 
 /** @cond cli_support */
diff --git a/specials/SpecialImportTranslations.php 
b/specials/SpecialImportTranslations.php
index 0a70e79..028c58f 100644
--- a/specials/SpecialImportTranslations.php
+++ b/specials/SpecialImportTranslations.php
@@ -118,6 +118,8 @@
         * Constructs and outputs file input form with supported methods.
         */
        protected function outputForm() {
+               global $wgTranslateAllowImportFromUrl;
+
                $this->getOutput()->addModules( 
'ext.translate.special.importtranslations' );
                TranslateUtils::addSpecialHelpLink( $this->getOutput(), 
'Help:Extension:Translate/Off-line_translation' );
                /**
@@ -139,17 +141,19 @@
 
                $class = array( 'class' => 'mw-translate-import-inputs' );
 
-               $this->getOutput()->addHTML(
-                       Xml::radioLabel( $this->msg( 
'translate-import-from-url' )->text(),
-                               'upload-type', 'url', 'mw-translate-up-url',
-                               $this->getRequest()->getText( 'upload-type' ) 
=== 'url' ) .
-                               "\n" . Xml::closeElement( 'td' ) . 
Xml::openElement( 'td' ) . "\n" .
-                               Xml::input( 'upload-url', 50,
-                                       $this->getRequest()->getText( 
'upload-url' ),
-                                       array( 'id' => 
'mw-translate-up-url-input' ) + $class ) .
-                               "\n" . Xml::closeElement( 'td' ) . 
Xml::closeElement( 'tr' ) .
-                               Xml::openElement( 'tr' ) . Xml::openElement( 
'td' ) . "\n"
-               );
+               if( $wgTranslateAllowImportFromUrl === true ) {
+                       $this->getOutput()->addHTML(
+                               Xml::radioLabel( $this->msg( 
'translate-import-from-url' )->text(),
+                                       'upload-type', 'url', 
'mw-translate-up-url',
+                                       $this->getRequest()->getText( 
'upload-type' ) === 'url' ) .
+                                       "\n" . Xml::closeElement( 'td' ) . 
Xml::openElement( 'td' ) . "\n" .
+                                       Xml::input( 'upload-url', 50,
+                                               $this->getRequest()->getText( 
'upload-url' ),
+                                               array( 'id' => 
'mw-translate-up-url-input' ) + $class ) .
+                                       "\n" . Xml::closeElement( 'td' ) . 
Xml::closeElement( 'tr' ) .
+                                       Xml::openElement( 'tr' ) . 
Xml::openElement( 'td' ) . "\n"
+                       );
+               }
 
                $this->getOutput()->addHTML(
                        Xml::radioLabel( $this->msg( 
'translate-import-from-wiki' )->text(),
@@ -181,9 +185,11 @@
         * @return array
         */
        protected function loadFile( &$filedata ) {
+               global $wgTranslateAllowImportFromUrl;
+
                $source = $this->getRequest()->getText( 'upload-type' );
 
-               if ( $source === 'url' ) {
+               if ( $source === 'url' && $wgTranslateAllowImportFromUrl === 
true ) {
                        $url = $this->getRequest()->getText( 'upload-url' );
                        $filedata = Http::get( $url );
                        if ( $filedata ) {

-- 
To view, visit https://gerrit.wikimedia.org/r/60983
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I01057787abcf9cbcf9796cac7750134858ebff7b
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Translate
Gerrit-Branch: master
Gerrit-Owner: Siebrand <siebr...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to