https://bugzilla.wikimedia.org/show_bug.cgi?id=66776
Bug ID: 66776
Summary: API output containing <cross-domain-policy> is
corrupted in non-XML formats
Product: MediaWiki
Version: 1.24-git
Hardware: All
URL: https://www.mediawiki.org/w/api.php?action=query&forma
t=json&titles=%3Ccross-domain-policy%3E
OS: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: API
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected], [email protected],
[email protected], [email protected],
[email protected]
Web browser: ---
Mobile Platform: ---
The wfMangleFlashPolicy() function in OutputHandler.php corrupts API output
containing "<cross-domain-policy>" by replacing the string with
"<NOT-cross-domain-policy>".
https://www.mediawiki.org/w/api.php?action=query&format=json&titles=%3Ccross-domain-policy%3E
https://en.wikipedia.org/w/index.php?title=User:PleaseStand/Sandbox&diff=540155307&oldid=540154194
In 2007, wfMangleFlashPolicy() was added in r19996. About a year later, Adobe
addressed the vulnerability in Flash Player, and six years have since passed.
According to Adobe's website, by default Flash Player 10 only allows
crossdomain.xml at the root ("master-only" meta-policy). So it may be possible
simply to remove the check, which already fails to work on many PHP
configurations (e.g. output_buffering = 4096 from the sample php.ini files).
There is also an "X-Permitted-Cross-Domain-Policies" header that can be sent.
https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.edu.html
Alternatively, ApiFormatJson could be changed to hex-escape < and > (by
removing the FormatJson::XMLMETA_OK flag), though that would do nothing to fix
the other (deprecated?) non-XML output formats (e.g. PHP), action=raw, and so
on.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
