Nikerabbit has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/400484 )
Change subject: Harden YAML parsing by disallowing serialization
......................................................................
Harden YAML parsing by disallowing serialization
Change-Id: I325e2b0ed68171d9c7c4d5c20ea3425764ae28a4
---
A tests/phpunit/TranslateYamlTest.php
M utils/TranslateYaml.php
2 files changed, 56 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Translate
refs/changes/84/400484/1
diff --git a/tests/phpunit/TranslateYamlTest.php
b/tests/phpunit/TranslateYamlTest.php
new file mode 100644
index 0000000..d7ff512
--- /dev/null
+++ b/tests/phpunit/TranslateYamlTest.php
@@ -0,0 +1,48 @@
+<?php
+/**
+ * Tests for yaml wrapper.
+ *
+ * @author Niklas Laxström
+ * @license GPL-2.0+
+ */
+
+use PHPUnit\Framework\TestCase;
+
+class TranslateHooksTest extends TestCase {
+ protected function setUp() {
+ global $wgTranslateYamlLibrary;
+
+ parent::setUp();
+ $wgTranslateYamlLibrary = 'phpyaml';
+ }
+
+ /**
+ * TODO: test other drivers too.
+ * @requires function yaml_parse
+ * @dataProvider provideTestLoadString
+ */
+ public function testLoadStringPhpyaml( $input, $expected, $comment ) {
+ global $wgTranslateYamlLibrary;
+ $wgTranslateYamlLibrary = 'phpyaml';
+
+ $output = TranslateYaml::loadString( $input );
+ $this->assertEquals( $expected, $output, $comment );
+ }
+
+ public function provideTestLoadString() {
+ $tests = [];
+ $tests[] = [
+ 'a: b',
+ [ 'a' => 'b' ],
+ 'Simple key-value'
+ ];
+
+ $tests[] = [
+ 'a: !php/object
"O:8:\"stdClass\":1:{s:1:\"a\";s:1:\"b\";}"',
+ [ 'a' => null ],
+ 'PHP objects should not be unserialized'
+ ];
+
+ return $tests;
+ }
+}
diff --git a/utils/TranslateYaml.php b/utils/TranslateYaml.php
index 004df05..6b93431 100644
--- a/utils/TranslateYaml.php
+++ b/utils/TranslateYaml.php
@@ -24,14 +24,20 @@
switch ( $wgTranslateYamlLibrary ) {
case 'phpyaml':
- $ret = yaml_parse( $text );
+ // Harden: do not support unserializing objects.
+ // Method 1: PHP ini setting (not supported by
HHVM)
+ // Method 2: Callback handler for !php/object
+ $previousValue = ini_set( 'yaml.decode_php',
false );
+ $ignored = 0;
+ $callback = function () { return null; };
+ $ret = yaml_parse( $text, 0, $ignored, [
'!php/object' => $callback ] );
+ ini_set( 'yaml.decode_php', $previousValue );
if ( $ret === false ) {
// Convert failures to exceptions
throw new InvalidArgumentException(
'Invalid Yaml string' );
}
return $ret;
-
case 'spyc':
$yaml = spyc_load( $text );
--
To view, visit https://gerrit.wikimedia.org/r/400484
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I325e2b0ed68171d9c7c4d5c20ea3425764ae28a4
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Translate
Gerrit-Branch: master
Gerrit-Owner: Nikerabbit <niklas.laxst...@gmail.com>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
