Nikerabbit has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/400484 )
Change subject: Harden YAML parsing by disallowing serialization ...................................................................... Harden YAML parsing by disallowing serialization Change-Id: I325e2b0ed68171d9c7c4d5c20ea3425764ae28a4 --- A tests/phpunit/TranslateYamlTest.php M utils/TranslateYaml.php 2 files changed, 56 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Translate refs/changes/84/400484/1 diff --git a/tests/phpunit/TranslateYamlTest.php b/tests/phpunit/TranslateYamlTest.php new file mode 100644 index 0000000..d7ff512 --- /dev/null +++ b/tests/phpunit/TranslateYamlTest.php @@ -0,0 +1,48 @@ +<?php +/** + * Tests for yaml wrapper. + * + * @author Niklas Laxström + * @license GPL-2.0+ + */ + +use PHPUnit\Framework\TestCase; + +class TranslateHooksTest extends TestCase { + protected function setUp() { + global $wgTranslateYamlLibrary; + + parent::setUp(); + $wgTranslateYamlLibrary = 'phpyaml'; + } + + /** + * TODO: test other drivers too. + * @requires function yaml_parse + * @dataProvider provideTestLoadString + */ + public function testLoadStringPhpyaml( $input, $expected, $comment ) { + global $wgTranslateYamlLibrary; + $wgTranslateYamlLibrary = 'phpyaml'; + + $output = TranslateYaml::loadString( $input ); + $this->assertEquals( $expected, $output, $comment ); + } + + public function provideTestLoadString() { + $tests = []; + $tests[] = [ + 'a: b', + [ 'a' => 'b' ], + 'Simple key-value' + ]; + + $tests[] = [ + 'a: !php/object "O:8:\"stdClass\":1:{s:1:\"a\";s:1:\"b\";}"', + [ 'a' => null ], + 'PHP objects should not be unserialized' + ]; + + return $tests; + } +} diff --git a/utils/TranslateYaml.php b/utils/TranslateYaml.php index 004df05..6b93431 100644 --- a/utils/TranslateYaml.php +++ b/utils/TranslateYaml.php @@ -24,14 +24,20 @@ switch ( $wgTranslateYamlLibrary ) { case 'phpyaml': - $ret = yaml_parse( $text ); + // Harden: do not support unserializing objects. + // Method 1: PHP ini setting (not supported by HHVM) + // Method 2: Callback handler for !php/object + $previousValue = ini_set( 'yaml.decode_php', false ); + $ignored = 0; + $callback = function () { return null; }; + $ret = yaml_parse( $text, 0, $ignored, [ '!php/object' => $callback ] ); + ini_set( 'yaml.decode_php', $previousValue ); if ( $ret === false ) { // Convert failures to exceptions throw new InvalidArgumentException( 'Invalid Yaml string' ); } return $ret; - case 'spyc': $yaml = spyc_load( $text ); -- To view, visit https://gerrit.wikimedia.org/r/400484 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I325e2b0ed68171d9c7c4d5c20ea3425764ae28a4 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/Translate Gerrit-Branch: master Gerrit-Owner: Nikerabbit <niklas.laxst...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits