Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Fix XSS issues GlobalNewFilesPager
Fix XSS issues in GlobalNewFilesPager by using MediaWiki's LinkRenderer
and Html utilities instead of constructing (unescaped) HTML messages
directly.

For more details, see https://phabricator.miraheze.org/T7935.
  • Loading branch information
supertassu committed Sep 1, 2021
1 parent 1473d96 commit cee254e
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 14 deletions.
7 changes: 6 additions & 1 deletion extension.json
Expand Up @@ -41,7 +41,12 @@
"GlobalNewFilesMoveJob": "GlobalNewFilesMoveJob"
},
"SpecialPages": {
"GlobalNewFiles": "SpecialGlobalNewFiles"
"GlobalNewFiles": {
"class": "SpecialGlobalNewFiles",
"services": [
"LinkRenderer"
]
}
},
"Hooks": {
"CreateWikiTables": [
Expand Down
2 changes: 1 addition & 1 deletion includes/GlobalNewFilesHooks.php
Expand Up @@ -42,7 +42,7 @@ public static function onLoadExtensionSchemaUpdates( DatabaseUpdater $updater )
$updater->modifyExtensionField(
'gnf_files',
'files_timestamp',
__DIR__ . '/../sql/patches/patch-gnf_files-binary.sql'
__DIR__ . '/../sql/patches/patch-gnf_files-binary.sql'
);

$updater->modifyTable(
Expand Down
38 changes: 29 additions & 9 deletions includes/GlobalNewFilesPager.php
@@ -1,18 +1,24 @@
<?php

use MediaWiki\Linker\LinkRenderer;
use MediaWiki\MediaWikiServices;

class GlobalNewFilesPager extends TablePager {
function __construct() {
/** @var LinkRenderer */
private $linkRenderer;

function __construct( RequestContext $context, LinkRenderer $linkRenderer ) {
parent::__construct( $context );

$this->linkRenderer = $linkRenderer;

$this->mDb = GlobalNewFilesHooks::getGlobalDB( DB_REPLICA, 'gnf_files' );

if ( $this->getRequest()->getText( 'sort', 'files_date' ) == 'files_date' ) {
if ( $context->getRequest()->getText( 'sort', 'files_date' ) == 'files_date' ) {
$this->mDefaultDirection = IndexPager::DIR_DESCENDING;
} else {
$this->mDefaultDirection = IndexPager::DIR_ASCENDING;
}

parent::__construct( $this->getContext() );
}

function getFieldNames() {
Expand All @@ -36,8 +42,6 @@ function getFieldNames() {
function formatValue( $name, $value ) {
$row = $this->mCurrentRow;

$wiki = $row->files_dbname;

switch ( $name ) {
case 'files_timestamp':
$formatted = htmlspecialchars( $this->getLanguage()->userTimeAndDate( $row->files_timestamp, $this->getUser() ) );
Expand All @@ -46,13 +50,29 @@ function formatValue( $name, $value ) {
$formatted = $row->files_dbname;
break;
case 'files_url':
$formatted = "<img src=\"{$row->files_url}\" style=\"width:135px;height:135px;\">";
$formatted = Html::element(
'img',
[
'src' => $row->files_url,
'style' => 'width: 135px; height: 135px;'
]
);
break;
case 'files_name':
$formatted = "<a href=\"{$row->files_page}\">{$row->files_name}</a>";
$formatted = Html::element(
'a',
[
'href' => $row->files_page,
],
$row->files_name
);

break;
case 'files_user':
$formatted = "<a href=\"/wiki/Special:CentralAuth/{$row->files_user}\">{$row->files_user}</a>";
$formatted = $this->linkRenderer->makeLink(
SpecialPage::getTitleFor( 'CentralAuth', $row->files_user ),
$row->files_user
);
break;
default:
$formatted = "Unable to format $name";
Expand Down
11 changes: 8 additions & 3 deletions includes/SpecialGlobalNewFiles.php
@@ -1,17 +1,22 @@
<?php

use MediaWiki\Linker\LinkRenderer;

class SpecialGlobalNewFiles extends SpecialPage {
/** @var LinkRenderer */
private $linkRenderer;

function __construct() {
function __construct( LinkRenderer $linkRenderer ) {
parent::__construct( 'GlobalNewFiles' );
$this->linkRenderer = $linkRenderer;
}

function execute( $par ) {
$this->setHeaders();
$this->outputHeader();

$pager = new GlobalNewFilesPager();
$pager = new GlobalNewFilesPager( $this->getContext(), $this->linkRenderer );

$this->getOutput()->addParserOutputContent( $pager->getFullOutput() );
}

Expand Down

0 comments on commit cee254e

Please sign in to comment.