https://www.mediawiki.org/wiki/Special:Code/MediaWiki/112243
Revision: 112243
Author: wikinaut
Date: 2012-02-23 21:12:54 +0000 (Thu, 23 Feb 2012)
Log Message:
-----------
name and behaviour change of wgRSSAllowedFeeds towgRSSUrlWhitelist. The
wgRSSUrlWhitelist is _now_ empty by default which was not the case until this
version. Admins who want to allow their users to insert arbitrary feed urls
must now denote this expressly with an asterisk in quotes as whitelist array
element. This is harmonised to the same method as recently introduced in
E:EtherpadLite. The RELEASE NOTES file has been updated, updates to the
MediaWiki manual page will follow soon.
Modified Paths:
--------------
trunk/extensions/RSS/RELEASE-NOTES
trunk/extensions/RSS/RSS.i18n.php
trunk/extensions/RSS/RSS.php
trunk/extensions/RSS/RSSHooks.php
trunk/extensions/RSS/RSSParser.php
Modified: trunk/extensions/RSS/RELEASE-NOTES
===================================================================
--- trunk/extensions/RSS/RELEASE-NOTES 2012-02-23 20:18:32 UTC (rev 112242)
+++ trunk/extensions/RSS/RELEASE-NOTES 2012-02-23 21:12:54 UTC (rev 112243)
@@ -13,6 +13,21 @@
* bug 30028 "Error parsing XML for RSS" - improve and harden Extension:RSS when
parsing differently flavoured RSS feeds
+=== Version 1.94 2012-02-23 ===
+* changed white list definition and behaviour:
+
+ 1. changed the name from $wgRSSAllowedFeeds to $wgRSSUrlWhitelist
+ 2. behaviour has been changed
+
+ the new behaviour is:
+ $wgRSSUrlWhitelist is empty by default. Since version 1.94 it must be
+ expressly set to an array( list-of-comma-separated-allowed-RSS-urls-strings )
+ or set to array( "*" ) if you want to allow any url
+
+ the old behaviour was:
+ $wgRSSAllowedFeeds was empty by default and empty meant that every Url
+ was allowed by default. This has been changed, see new behaviour.
+
=== Version 1.92 2012-02-13 ===
* added optional date= attribute and $wgRSSDateDefaultFormat parameter
* added optional item-max-length= attribute and $wgRSSItemMaxLength parameter
Modified: trunk/extensions/RSS/RSS.i18n.php
===================================================================
--- trunk/extensions/RSS/RSS.i18n.php 2012-02-23 20:18:32 UTC (rev 112242)
+++ trunk/extensions/RSS/RSS.i18n.php 2012-02-23 21:12:54 UTC (rev 112243)
@@ -20,7 +20,8 @@
'rss-invalid-url' => 'Not a valid URL: $1',
'rss-parse-error' => 'Error parsing XML for RSS',
'rss-ns-permission' => 'RSS is not allowed in this namespace',
- 'rss-url-permission' => 'This URL is not allowed to be included',
+ 'rss-url-is-not-whitelisted' => '"$1" is not in the whitelist of
allowed feeds. {{PLURAL:$3|$2 is the only allowed feed|The allowed feeds are as
follows: $2}}.',
+ 'rss-empty-whitelist' => '"$1" is not in the whitelist of allowed
feeds. There are no allowed feed URLs in the whitelist.',
'rss-item' => '{{$1 | title = {{{title}}} | link = {{{link}}} | date =
{{{date}}} | author = {{{author}}} | description = {{{description}}} }}',
'rss-feed' => "<!-- the following are two alternative templates. The
first is the basic default template for feeds -->; '''<span
class='plainlinks'>[{{{link}}} {{{title}}}]</span>'''
: {{{description}}}
@@ -33,6 +34,7 @@
*/
$messages['qqq'] = array(
'rss-invalid-url' => '$1 is the invalid URL for the RSS feed',
+ 'etherpadlite-url-is-not-whitelisted' => "Error if url isn't in list of
allowed urls. $1 is name of url specified by user, $2 is a comma separated list
of allowed urls, $3 is the number of urls in the allowed list",
'rss-feed' => "; $1
: ''not to be localised''
: The RSS extension substitutes this placeholder with the name of a template
page. The content of this template page determines the final layout of the RSS
feed on the rendered wiki page. The Extension:RSS currently uses
'MediaWiki:Rss-feed' as default for $1. This means that the content of
[[MediaWiki:Rss-feed]] determines how RSS feed items are rendered.
Modified: trunk/extensions/RSS/RSS.php
===================================================================
--- trunk/extensions/RSS/RSS.php 2012-02-23 20:18:32 UTC (rev 112242)
+++ trunk/extensions/RSS/RSS.php 2012-02-23 21:12:54 UTC (rev 112243)
@@ -4,7 +4,7 @@
*
* @file
* @ingroup Extensions
- * @version 1.93
+ * @version 1.94
* @author mutante, Daniel Kinzler, Rdb, Mafs, Thomas Gries, Alxndr, Chris
Reigrut, K001
* @author Kellan Elliott-McCrea <[email protected]> -- author of MagpieRSS
* @author Jeroen De Dauw
@@ -14,6 +14,8 @@
* @link http://www.mediawiki.org/wiki/Extension:RSS Documentation
*/
+define( "EXTENSION_RSS_VERSION", "1.94 20120223" );
+
if ( !defined( 'MEDIAWIKI' ) ) {
die( "This is not a valid entry point.\n" );
}
@@ -26,7 +28,7 @@
'Rdb', 'Mafs', 'Alxndr', 'Thomas Gries', 'Chris Reigrut',
'K001', 'Jack Phoenix', 'Jeroen De Dauw', 'Mark A. Hershberger'
),
- 'version' => '1.93 20120218',
+ 'version' => EXTENSION_RSS_VERSION,
'url' => 'https://www.mediawiki.org/wiki/Extension:RSS',
'descriptionmsg' => 'rss-desc',
);
@@ -36,12 +38,13 @@
$wgExtensionMessagesFiles['RSS'] = $dir . 'RSS.i18n.php';
$wgAutoloadClasses['RSSHooks'] = $dir . 'RSSHooks.php';
$wgAutoloadClasses['RSSParser'] = $dir . 'RSSParser.php';
+$wgAutoloadClasses['RSSUtils'] = $dir . 'RSSParser.php';
$wgAutoloadClasses['RSSData'] = $dir . 'RSSData.php';
$wgHooks['ParserFirstCallInit'][] = 'RSSHooks::parserInit';
- // one hour
- $wgRSSCacheAge = 3600;
+// one hour
+$wgRSSCacheAge = 3600;
// Check cached content, if available, against remote.
// $wgRSSCacheCompare should be set to false or a timeout
@@ -55,13 +58,26 @@
// null (the default) means the <rss> tag can be used anywhere.
$wgRSSNamespaces = null;
-// URL whitelist of RSS Feeds:
-// if there are items in the array, and the used URL isn't in the array,
-// it will not be allowed (originally proposed in bug 27768)
-$wgRSSAllowedFeeds = array();
+// Whitelist of allowed RSS Urls
+//
+// If there are items in the array, and the user supplied URL is not in the
array,
+// the url will not be allowed
+//
+// Urls are case-sensitively tested against values in the array.
+// They must exactly match including any trailing "/" character.
+//
+// Warning: Allowing all urls (not setting a whitelist)
+// may be a security concern.
+//
+// an empty or non-existent array means: no whitelist defined
+// this is the default: an empty whitelist. No servers are allowed by default.
+$wgRSSUrlWhitelist = array();
+// include "*" if you expressly want to allow all urls (you should not do this)
+// $wgRSSUrlWhitelist = array( "*" );
+
// Agent to use for fetching feeds
-$wgRSSUserAgent = 'MediaWikiRSS/0.02
(+http://www.mediawiki.org/wiki/Extension:RSS) / MediaWiki RSS extension';
+$wgRSSUserAgent = "MediaWikiRSS/" . strtok( EXTENSION_RSS_VERSION, " " ) . "
(+http://www.mediawiki.org/wiki/Extension:RSS) / MediaWiki RSS extension";
// Proxy server to use for fetching feeds
$wgRSSProxy = false;
Modified: trunk/extensions/RSS/RSSHooks.php
===================================================================
--- trunk/extensions/RSS/RSSHooks.php 2012-02-23 20:18:32 UTC (rev 112242)
+++ trunk/extensions/RSS/RSSHooks.php 2012-02-23 21:12:54 UTC (rev 112243)
@@ -1,6 +1,7 @@
<?php
class RSSHooks {
+
/**
* Tell the parser how to handle <rss> elements
* @param $parser Parser Object
@@ -20,7 +21,7 @@
* @param $frame PPFrame parser context
*/
static function renderRss( $input, $args, $parser, $frame ) {
- global $wgRSSCacheAge, $wgRSSCacheCompare, $wgRSSNamespaces,
$wgRSSAllowedFeeds;
+ global $wgRSSCacheAge, $wgRSSCacheCompare, $wgRSSNamespaces,
$wgRSSUrlWhitelist;
if ( is_array( $wgRSSNamespaces ) && count( $wgRSSNamespaces )
) {
$ns = $parser->getTitle()->getNamespace();
@@ -31,10 +32,32 @@
}
}
- if ( count( $wgRSSAllowedFeeds ) && !in_array( $input,
$wgRSSAllowedFeeds ) ) {
- return wfMsg( 'rss-url-permission' );
+ switch ( true ) {
+
+ # disallow because there is no whitelist or emtpy whitelist
+ case ( !isset( $wgRSSUrlWhitelist )
+ || !is_array( $wgRSSUrlWhitelist )
+ || ( count( $wgRSSUrlWhitelist ) === 0 ) ):
+ return RSSUtils::RSSError( 'rss-empty-whitelist',
+ $input
+ );
+ break;
+
+ # allow
+ case ( in_array( "*", $wgRSSUrlWhitelist ) ):
+ case ( in_array( $input, $wgRSSUrlWhitelist ) ):
+ break;
+
+ # otherwise disallow
+ case ( !in_array( $input, $wgRSSUrlWhitelist ) ):
+ default:
+ $listOfAllowed =
$parser->getFunctionLang()->listToText( $wgRSSUrlWhitelist );
+ $numberAllowed = $parser->getFunctionLang()->formatNum(
count( $wgRSSUrlWhitelist ) );
+ return RSSUtils::RSSError( 'rss-url-is-not-whitelisted',
+ array( $input, $listOfAllowed, $numberAllowed )
+ );
}
-
+
if ( !Http::isValidURI( $input ) ) {
return wfMsg( 'rss-invalid-url', htmlspecialchars(
$input ) );
}
@@ -61,4 +84,5 @@
return $rss->renderFeed( $parser, $frame );
}
+
}
Modified: trunk/extensions/RSS/RSSParser.php
===================================================================
--- trunk/extensions/RSS/RSSParser.php 2012-02-23 20:18:32 UTC (rev 112242)
+++ trunk/extensions/RSS/RSSParser.php 2012-02-23 21:12:54 UTC (rev 112243)
@@ -230,11 +230,33 @@
$headers['If-Modified-Since'] = $lm;
}
- $client = HttpRequest::factory( $this->url, array(
- 'timeout' => $wgRSSFetchTimeout,
- 'proxy' => $wgRSSProxy
+ /**
+ * 'noProxy' can conditionally be set as shown in the commented
+ * example below; in HttpRequest 'noProxy' takes precedence over
+ * any value of 'proxy' and disables the use of a proxy.
+ *
+ * This is useful if you run the wiki in an intranet and need to
+ * access external feed urls through a proxy but internal feed
+ * urls must be accessed without a proxy.
+ *
+ * The general handling of such cases will be subject of a
+ * forthcoming version.
+ */
- ) );
+ $url = $this->url;
+ $noProxy = false;
+
+ // Example for disabling proxy use for certain urls
+ // $noProxy = preg_match( '!\.internal\.example\.com$!i',
parse_url( $url, PHP_URL_HOST ) );
+
+ $client = HttpRequest::factory( $url,
+ array(
+ 'timeout' => $wgRSSFetchTimeout,
+ 'proxy' => $wgRSSProxy,
+ 'noProxy' => $noProxy,
+ )
+ );
+
$client->setUserAgent( $wgRSSUserAgent );
foreach ( $headers as $header => $value ) {
$client->setHeader( $header, $value );
@@ -524,3 +546,25 @@
return sprintf( $styleStart, $bgcolor[$index], $color[$index] )
. $match[0] . $styleEnd;
}
}
+
+class RSSUtils {
+
+ /**
+ * Output an error message, all wraped up nicely.
+ * @param String $errorMessageName The system message that this error is
+ * @param String|Array $param Error parameter (or parameters)
+ * @return String Html that is the error.
+ */
+ public static function RSSError( $errorMessageName, $param ) {
+
+ // Anything from a parser tag should use Content lang for
message,
+ // since the cache doesn't vary by user language: do not use
wfMsgForContent but wfMsgForContent
+ // The ->parse() part makes everything safe from an escaping
standpoint.
+
+ return Html::rawElement( 'span', array( 'class' => 'error' ),
+ "Extension:RSS -- Error: " . wfMessage(
$errorMessageName )->inContentLanguage()->params( $param )->parse()
+ );
+
+ }
+
+}
_______________________________________________
MediaWiki-CVS mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-cvs
