diff options
| author | Sam Reed <reedy@users.mediawiki.org> | 2011-11-28 23:30:45 +0000 |
|---|---|---|
| committer | Sam Reed <reedy@users.mediawiki.org> | 2011-11-28 23:30:45 +0000 |
| commit | 6a5b1dec913d4566acd6b0e31fbde212deccf001 (patch) | |
| tree | dce167330dcf875133c813bff2e5ee3a7c7e4577 | |
| parent | 6ddab073f9795c60c6060e876221005353a954d7 (diff) | |
* (bug 32276) Skins were generating output using the internal page title which would allow anonymous users to determine wheter a page exists, potentially leaking private data. In fact, the curid and oldid request parameters would1.18.0
allow page titles to be enumerated even when they are not guessable.
* (bug 32616) action=ajax requests were dispatched to the relevant internal functions without any read permission checks being done. This could lead to data leakage on private wikis
Notes
http://mediawiki.org/wiki/Special:Code/MediaWiki/104508
| -rw-r--r-- | includes/AjaxDispatcher.php | 9 | ||||
| -rw-r--r-- | includes/SkinTemplate.php | 18 | ||||
| -rw-r--r-- | includes/Wiki.php | 13 |
3 files changed, 32 insertions, 8 deletions
diff --git a/includes/AjaxDispatcher.php b/includes/AjaxDispatcher.php index 17b154d61f2f..5bc9f0674273 100644 --- a/includes/AjaxDispatcher.php +++ b/includes/AjaxDispatcher.php @@ -68,7 +68,7 @@ class AjaxDispatcher { * request. */ function performAction() { - global $wgAjaxExportList, $wgOut; + global $wgAjaxExportList, $wgOut, $wgUser; if ( empty( $this->mode ) ) { return; @@ -84,6 +84,13 @@ class AjaxDispatcher { 'Bad Request', "unknown function " . (string) $this->func_name ); + } elseif ( !in_array( 'read', User::getGroupPermissions( array( '*' ) ), true ) + && !$wgUser->isAllowed( 'read' ) ) + { + wfHttpError( + 403, + 'Forbidden', + 'You must log in to view pages.' ); } else { wfDebug( __METHOD__ . ' dispatching ' . $this->func_name . "\n" ); diff --git a/includes/SkinTemplate.php b/includes/SkinTemplate.php index 373daa9d9a09..f3716bc3446a 100644 --- a/includes/SkinTemplate.php +++ b/includes/SkinTemplate.php @@ -580,11 +580,19 @@ class SkinTemplate extends Skin { /* set up the default links for the personal toolbar */ $personal_urls = array(); - $page = $wgRequest->getVal( 'returnto', $this->thispage ); - $query = $wgRequest->getVal( 'returntoquery', $this->thisquery ); - $a = array( 'returnto' => $page ); - if( $query != '' ) { - $a['returntoquery'] = $query; + # Due to bug 32276, if a user does not have read permissions, + # $this->getTitle() will just give Special:Badtitle, which is + # not especially useful as a returnto parameter. Use the title + # from the request instead, if there was one. + $page = Title::newFromURL( $wgRequest->getVal( 'title', '' ) ); + $page = $wgRequest->getVal( 'returnto', $page ); + $a = array(); + if ( strval( $page ) !== '' ) { + $a['returnto'] = $page; + $query = $wgRequest->getVal( 'returntoquery', $this->thisquery ); + if( $query != '' ) { + $a['returntoquery'] = $query; + } } $returnto = wfArrayToCGI( $a ); if( $this->loggedin ) { diff --git a/includes/Wiki.php b/includes/Wiki.php index 173fcd94f572..d1c8c15b06e6 100644 --- a/includes/Wiki.php +++ b/includes/Wiki.php @@ -128,7 +128,7 @@ class MediaWiki { * @return void */ private function performRequest() { - global $wgServer, $wgUsePathInfo; + global $wgServer, $wgUsePathInfo, $wgTitle; wfProfileIn( __METHOD__ ); @@ -145,7 +145,6 @@ class MediaWiki { wfRunHooks( 'BeforeInitialize', array( &$title, null, &$output, &$user, $request, $this ) ); - // Invalid titles. Bug 21776: The interwikis must redirect even if the page name is empty. if ( is_null( $title ) || ( $title->getDBkey() == '' && $title->getInterwiki() == '' ) || $title->isSpecial( 'Badtitle' ) ) @@ -157,6 +156,16 @@ class MediaWiki { // the Read array in order for the user to see it. (We have to check here to // catch special pages etc. We check again in Article::view()) } elseif ( !$title->userCanRead() ) { + // Bug 32276: allowing the skin to generate output with $wgTitle + // set to the input title would allow anonymous users to + // determine whether a page exists, potentially leaking private data. In fact, the + // curid and oldid request parameters would allow page titles to be enumerated even + // when they are not guessable. So we reset the title to Special:Badtitle before the + // permissions error is displayed. + $badtitle = SpecialPage::getTitleFor( 'Badtitle' ); + $output->setTitle( $badtitle ); + $wgTitle = $badtitle; + $output->loginToUse(); // Interwiki redirects } elseif ( $title->getInterwiki() != '' ) { |