REL1_23 isn't a nice cherry pick...
diff --cc includes/OutputPage.php
index b3e724a,1985ab4..0000000
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@@ -1415,11 -1536,45 +1415,42 @@@ class OutputPage extends ContextSource
* @return ParserOptions
*/
public function parserOptions( $options = null ) {
++<<<<<<< HEAD
+ if ( !$this->mParserOptions ) {
++=======
+ if ( $options !== null && !empty( $options->isBogus ) ) {
+ // Someone is trying to set a bogus pre-$wgUser PO. Check if it has
+ // been changed somehow, and keep it if so.
+ $anonPO = ParserOptions::newFromAnon();
+ $anonPO->setEditSection( false );
+ $anonPO->setAllowUnsafeRawHtml( false );
+ if ( !$options->matches( $anonPO ) ) {
+ wfLogWarning( __METHOD__ . ': Setting a changed bogus ParserOptions: ' . wfGetAllCallers( 5 ) );
+ $options->isBogus = false;
+ }
+ }
+
+ if ( !$this->mParserOptions ) {
+ if ( !$this->getContext()->getUser()->isSafeToLoad() ) {
+ // $wgUser isn't unstubbable yet, so don't try to get a
+ // ParserOptions for it. And don't cache this ParserOptions
+ // either.
+ $po = ParserOptions::newFromAnon();
+ $po->setEditSection( false );
+ $po->setAllowUnsafeRawHtml( false );
+ $po->isBogus = true;
+ if ( $options !== null ) {
+ $this->mParserOptions = empty( $options->isBogus ) ? $options : null;
+ }
+ return $po;
+ }
+
++>>>>>>> 51b871e... SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;
$this->mParserOptions = ParserOptions::newFromContext( $this->getContext() );
$this->mParserOptions->setEditSection( false );
+ $this->mParserOptions->setAllowUnsafeRawHtml( false );
}
-
- if ( $options !== null && !empty( $options->isBogus ) ) {
- // They're trying to restore the bogus pre-$wgUser PO. Do the right
- // thing.
- return wfSetVar( $this->mParserOptions, null, true );
- } else {
- return wfSetVar( $this->mParserOptions, $options );
- }
+ return wfSetVar( $this->mParserOptions, $options );
}
/**
diff --cc includes/cache/MessageCache.php
index daaa915,3910bd3..0000000
--- a/includes/cache/MessageCache.php
+++ b/includes/cache/MessageCache.php
@@@ -144,9 -168,25 +144,26 @@@ class MessageCache
* @return ParserOptions
*/
function getParserOptions() {
- global $wgUser;
-
if ( !$this->mParserOptions ) {
++<<<<<<< HEAD
++=======
+ if ( !$wgUser->isSafeToLoad() ) {
+ // $wgUser isn't unstubbable yet, so don't try to get a
+ // ParserOptions for it. And don't cache this ParserOptions
+ // either.
+ $po = ParserOptions::newFromAnon();
+ $po->setEditSection( false );
+ $po->setAllowUnsafeRawHtml( false );
+ return $po;
+ }
+
++>>>>>>> 51b871e... SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;
$this->mParserOptions = new ParserOptions;
$this->mParserOptions->setEditSection( false );
+ // Messages may take parameters that could come
+ // from malicious sources. As a precaution, disable
+ // the <html> parser tag when parsing messages.
+ $this->mParserOptions->setAllowUnsafeRawHtml( false );
}
return $this->mParserOptions;
diff --cc includes/parser/CoreTagHooks.php
index 71f3faa,438603a..0000000
--- a/includes/parser/CoreTagHooks.php
+++ b/includes/parser/CoreTagHooks.php
@@@ -74,16 -75,29 +74,33 @@@ class CoreTagHooks
*
* Uses undocumented extended tag hook return values, introduced in r61913.
*
- * @param string $content
- * @param array $attributes
- * @param Parser $parser
+ * @param $content string
+ * @param $attributes array
+ * @param $parser Parser
* @throws MWException
- * @return array
+ * @return array|string Output of tag hook
*/
- public static function html( $content, $attributes, $parser ) {
+ static function html( $content, $attributes, $parser ) {
global $wgRawHtml;
if ( $wgRawHtml ) {
++<<<<<<< HEAD
+ return array( $content, 'markerType' => 'nowiki' );
++=======
+ if ( $parser->getOptions()->getAllowUnsafeRawHtml() ) {
+ return [ $content, 'markerType' => 'nowiki' ];
+ } else {
+ // In a system message where raw html is
+ // not allowed (but it is allowed in other
+ // contexts).
+ return Html::rawElement(
+ 'span',
+ [ 'class' => 'error' ],
+ // Using ->text() not ->parse() as
+ // a paranoia measure against a loop.
+ wfMessage( 'rawhtml-notallowed' )->escaped()
+ );
+ }
++>>>>>>> 51b871e... SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;
} else {
throw new MWException( '<html> extension tag encountered unexpectedly' );
}
diff --cc includes/parser/ParserOptions.php
index edd4911,7946c89..0000000
--- a/includes/parser/ParserOptions.php
+++ b/includes/parser/ParserOptions.php
@@@ -208,46 -213,165 +208,135 @@@ class ParserOptions
/**
* Function to be called when an option is accessed.
*/
++<<<<<<< HEAD
+ protected $onAccessCallback = null;
+
+ function getInterwikiMagic() { return $this->mInterwikiMagic; }
+ function getAllowExternalImages() { return $this->mAllowExternalImages; }
+ function getAllowExternalImagesFrom() { return $this->mAllowExternalImagesFrom; }
+ function getEnableImageWhitelist() { return $this->mEnableImageWhitelist; }
+ function getEditSection() { return $this->mEditSection; }
+ function getNumberHeadings() { $this->optionUsed( 'numberheadings' );
+ return $this->mNumberHeadings; }
+ function getAllowSpecialInclusion() { return $this->mAllowSpecialInclusion; }
+ function getTidy() { return $this->mTidy; }
+ function getInterfaceMessage() { return $this->mInterfaceMessage; }
+ function getTargetLanguage() { return $this->mTargetLanguage; }
+ function getMaxIncludeSize() { return $this->mMaxIncludeSize; }
+ function getMaxPPNodeCount() { return $this->mMaxPPNodeCount; }
+ function getMaxGeneratedPPNodeCount() { return $this->mMaxGeneratedPPNodeCount; }
+ function getMaxPPExpandDepth() { return $this->mMaxPPExpandDepth; }
+ function getMaxTemplateDepth() { return $this->mMaxTemplateDepth; }
++=======
+ private $onAccessCallback = null;
+
+ /**
+ * If the page being parsed is a redirect, this should hold the redirect
+ * target.
+ * @var Title|null
+ */
+ private $redirectTarget = null;
+
+ /**
+ * If the wiki is configured to allow raw html ($wgRawHtml = true)
+ * is it allowed in the specific case of parsing this page.
+ *
+ * This is meant to disable unsafe parser tags in cases where
+ * a malicious user may control the input to the parser.
+ *
+ * @note This is expected to be true for normal pages even if the
+ * wiki has $wgRawHtml disabled in general. The setting only
+ * signifies that raw html would be unsafe in the current context
+ * provided that raw html is allowed at all.
+ * @var boolean
+ */
+ private $allowUnsafeRawHtml = true;
+
+ public function getInterwikiMagic() {
+ return $this->mInterwikiMagic;
+ }
+
+ public function getAllowExternalImages() {
+ return $this->mAllowExternalImages;
+ }
+
+ public function getAllowExternalImagesFrom() {
+ return $this->mAllowExternalImagesFrom;
+ }
+
+ public function getEnableImageWhitelist() {
+ return $this->mEnableImageWhitelist;
+ }
+
+ public function getEditSection() {
+ return $this->mEditSection;
+ }
+
+ public function getNumberHeadings() {
+ $this->optionUsed( 'numberheadings' );
+
+ return $this->mNumberHeadings;
+ }
+
+ public function getAllowSpecialInclusion() {
+ return $this->mAllowSpecialInclusion;
+ }
+
+ public function getTidy() {
+ return $this->mTidy;
+ }
+
+ public function getInterfaceMessage() {
+ return $this->mInterfaceMessage;
+ }
+
+ public function getTargetLanguage() {
+ return $this->mTargetLanguage;
+ }
+
+ public function getMaxIncludeSize() {
+ return $this->mMaxIncludeSize;
+ }
+
+ public function getMaxPPNodeCount() {
+ return $this->mMaxPPNodeCount;
+ }
+
+ public function getMaxGeneratedPPNodeCount() {
+ return $this->mMaxGeneratedPPNodeCount;
+ }
+
+ public function getMaxPPExpandDepth() {
+ return $this->mMaxPPExpandDepth;
+ }
+
+ public function getMaxTemplateDepth() {
+ return $this->mMaxTemplateDepth;
+ }
+
++>>>>>>> 51b871e... SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;
/* @since 1.20 */
- public function getExpensiveParserFunctionLimit() {
- return $this->mExpensiveParserFunctionLimit;
- }
-
- public function getRemoveComments() {
- return $this->mRemoveComments;
- }
-
- /* @since 1.24 */
- public function getCurrentRevisionCallback() {
- return $this->mCurrentRevisionCallback;
- }
-
- public function getTemplateCallback() {
- return $this->mTemplateCallback;
- }
-
- public function getEnableLimitReport() {
- return $this->mEnableLimitReport;
- }
-
- public function getCleanSignatures() {
- return $this->mCleanSignatures;
- }
-
- public function getExternalLinkTarget() {
- return $this->mExternalLinkTarget;
- }
-
- public function getDisableContentConversion() {
- return $this->mDisableContentConversion;
- }
-
- public function getDisableTitleConversion() {
- return $this->mDisableTitleConversion;
- }
-
- public function getThumbSize() {
- $this->optionUsed( 'thumbsize' );
-
- return $this->mThumbSize;
- }
-
- public function getStubThreshold() {
- $this->optionUsed( 'stubthreshold' );
-
- return $this->mStubThreshold;
- }
-
- public function getIsPreview() {
- return $this->mIsPreview;
- }
-
- public function getIsSectionPreview() {
- return $this->mIsSectionPreview;
- }
-
- public function getIsPrintable() {
- $this->optionUsed( 'printable' );
-
- return $this->mIsPrintable;
- }
-
- public function getUser() {
- return $this->mUser;
- }
-
- public function getPreSaveTransform() {
- return $this->mPreSaveTransform;
- }
-
- public function getDateFormat() {
+ function getExpensiveParserFunctionLimit() { return $this->mExpensiveParserFunctionLimit; }
+ function getRemoveComments() { return $this->mRemoveComments; }
+ function getTemplateCallback() { return $this->mTemplateCallback; }
+ function getEnableLimitReport() { return $this->mEnableLimitReport; }
+ function getCleanSignatures() { return $this->mCleanSignatures; }
+ function getExternalLinkTarget() { return $this->mExternalLinkTarget; }
+ function getDisableContentConversion() { return $this->mDisableContentConversion; }
+ function getDisableTitleConversion() { return $this->mDisableTitleConversion; }
+ function getThumbSize() { $this->optionUsed( 'thumbsize' );
+ return $this->mThumbSize; }
+ function getStubThreshold() { $this->optionUsed( 'stubthreshold' );
+ return $this->mStubThreshold; }
+
+ function getIsPreview() { return $this->mIsPreview; }
+ function getIsSectionPreview() { return $this->mIsSectionPreview; }
+ function getIsPrintable() { $this->optionUsed( 'printable' );
+ return $this->mIsPrintable; }
+ function getUser() { return $this->mUser; }
+ function getPreSaveTransform() { return $this->mPreSaveTransform; }
+
+ function getDateFormat() {
$this->optionUsed( 'dateformat' );
if ( !isset( $this->mDateFormat ) ) {
$this->mDateFormat = $this->mUser->getDatePreference();
@@@ -293,47 -424,180 +382,177 @@@
return $this->getUserLangObj()->getCode();
}
++<<<<<<< HEAD
+ function setInterwikiMagic( $x ) { return wfSetVar( $this->mInterwikiMagic, $x ); }
+ function setAllowExternalImages( $x ) { return wfSetVar( $this->mAllowExternalImages, $x ); }
+ function setAllowExternalImagesFrom( $x ) { return wfSetVar( $this->mAllowExternalImagesFrom, $x ); }
+ function setEnableImageWhitelist( $x ) { return wfSetVar( $this->mEnableImageWhitelist, $x ); }
+ function setDateFormat( $x ) { return wfSetVar( $this->mDateFormat, $x ); }
+ function setEditSection( $x ) { return wfSetVar( $this->mEditSection, $x ); }
+ function setNumberHeadings( $x ) { return wfSetVar( $this->mNumberHeadings, $x ); }
+ function setAllowSpecialInclusion( $x ) { return wfSetVar( $this->mAllowSpecialInclusion, $x ); }
+ function setTidy( $x ) { return wfSetVar( $this->mTidy, $x ); }
+
+ /** @deprecated in 1.19 */
+ function setSkin( $x ) { wfDeprecated( __METHOD__, '1.19' ); }
+ function setInterfaceMessage( $x ) { return wfSetVar( $this->mInterfaceMessage, $x ); }
+ function setTargetLanguage( $x ) { return wfSetVar( $this->mTargetLanguage, $x, true ); }
+ function setMaxIncludeSize( $x ) { return wfSetVar( $this->mMaxIncludeSize, $x ); }
+ function setMaxPPNodeCount( $x ) { return wfSetVar( $this->mMaxPPNodeCount, $x ); }
+ function setMaxGeneratedPPNodeCount( $x ) { return wfSetVar( $this->mMaxGeneratedPPNodeCount, $x ); }
+ function setMaxTemplateDepth( $x ) { return wfSetVar( $this->mMaxTemplateDepth, $x ); }
++=======
+ /**
+ * @since 1.29
+ * @return bool
+ */
+ public function getAllowUnsafeRawHtml() {
+ return $this->allowUnsafeRawHtml;
+ }
+
+ public function setInterwikiMagic( $x ) {
+ return wfSetVar( $this->mInterwikiMagic, $x );
+ }
+
+ public function setAllowExternalImages( $x ) {
+ return wfSetVar( $this->mAllowExternalImages, $x );
+ }
+
+ public function setAllowExternalImagesFrom( $x ) {
+ return wfSetVar( $this->mAllowExternalImagesFrom, $x );
+ }
+
+ public function setEnableImageWhitelist( $x ) {
+ return wfSetVar( $this->mEnableImageWhitelist, $x );
+ }
+
+ public function setDateFormat( $x ) {
+ return wfSetVar( $this->mDateFormat, $x );
+ }
+
+ public function setEditSection( $x ) {
+ return wfSetVar( $this->mEditSection, $x );
+ }
+
+ public function setNumberHeadings( $x ) {
+ return wfSetVar( $this->mNumberHeadings, $x );
+ }
+
+ public function setAllowSpecialInclusion( $x ) {
+ return wfSetVar( $this->mAllowSpecialInclusion, $x );
+ }
+
+ public function setTidy( $x ) {
+ return wfSetVar( $this->mTidy, $x );
+ }
+
+ public function setInterfaceMessage( $x ) {
+ return wfSetVar( $this->mInterfaceMessage, $x );
+ }
+
+ public function setTargetLanguage( $x ) {
+ return wfSetVar( $this->mTargetLanguage, $x, true );
+ }
+
+ public function setMaxIncludeSize( $x ) {
+ return wfSetVar( $this->mMaxIncludeSize, $x );
+ }
+
+ public function setMaxPPNodeCount( $x ) {
+ return wfSetVar( $this->mMaxPPNodeCount, $x );
+ }
+
+ public function setMaxGeneratedPPNodeCount( $x ) {
+ return wfSetVar( $this->mMaxGeneratedPPNodeCount, $x );
+ }
+
+ public function setMaxTemplateDepth( $x ) {
+ return wfSetVar( $this->mMaxTemplateDepth, $x );
+ }
+
++>>>>>>> 51b871e... SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;
/* @since 1.20 */
- public function setExpensiveParserFunctionLimit( $x ) {
- return wfSetVar( $this->mExpensiveParserFunctionLimit, $x );
- }
-
- public function setRemoveComments( $x ) {
- return wfSetVar( $this->mRemoveComments, $x );
- }
-
- /* @since 1.24 */
- public function setCurrentRevisionCallback( $x ) {
- return wfSetVar( $this->mCurrentRevisionCallback, $x );
- }
-
- public function setTemplateCallback( $x ) {
- return wfSetVar( $this->mTemplateCallback, $x );
- }
-
- public function enableLimitReport( $x = true ) {
- return wfSetVar( $this->mEnableLimitReport, $x );
- }
-
- public function setTimestamp( $x ) {
- return wfSetVar( $this->mTimestamp, $x );
- }
-
- public function setCleanSignatures( $x ) {
- return wfSetVar( $this->mCleanSignatures, $x );
- }
-
- public function setExternalLinkTarget( $x ) {
- return wfSetVar( $this->mExternalLinkTarget, $x );
- }
-
- public function disableContentConversion( $x = true ) {
- return wfSetVar( $this->mDisableContentConversion, $x );
- }
-
- public function disableTitleConversion( $x = true ) {
- return wfSetVar( $this->mDisableTitleConversion, $x );
- }
-
- public function setUserLang( $x ) {
+ function setExpensiveParserFunctionLimit( $x ) { return wfSetVar( $this->mExpensiveParserFunctionLimit, $x ); }
+ function setRemoveComments( $x ) { return wfSetVar( $this->mRemoveComments, $x ); }
+ function setTemplateCallback( $x ) { return wfSetVar( $this->mTemplateCallback, $x ); }
+ function enableLimitReport( $x = true ) { return wfSetVar( $this->mEnableLimitReport, $x ); }
+ function setTimestamp( $x ) { return wfSetVar( $this->mTimestamp, $x ); }
+ function setCleanSignatures( $x ) { return wfSetVar( $this->mCleanSignatures, $x ); }
+ function setExternalLinkTarget( $x ) { return wfSetVar( $this->mExternalLinkTarget, $x ); }
+ function disableContentConversion( $x = true ) { return wfSetVar( $this->mDisableContentConversion, $x ); }
+ function disableTitleConversion( $x = true ) { return wfSetVar( $this->mDisableTitleConversion, $x ); }
+ function setUserLang( $x ) {
if ( is_string( $x ) ) {
$x = Language::factory( $x );
}
-
return wfSetVar( $this->mUserLang, $x );
}
+ function setThumbSize( $x ) { return wfSetVar( $this->mThumbSize, $x ); }
+ function setStubThreshold( $x ) { return wfSetVar( $this->mStubThreshold, $x ); }
+ function setPreSaveTransform( $x ) { return wfSetVar( $this->mPreSaveTransform, $x ); }
++<<<<<<< HEAD
+ function setIsPreview( $x ) { return wfSetVar( $this->mIsPreview, $x ); }
+ function setIsSectionPreview( $x ) { return wfSetVar( $this->mIsSectionPreview, $x ); }
+ function setIsPrintable( $x ) { return wfSetVar( $this->mIsPrintable, $x ); }
++=======
+ public function setThumbSize( $x ) {
+ return wfSetVar( $this->mThumbSize, $x );
+ }
+
+ public function setStubThreshold( $x ) {
+ return wfSetVar( $this->mStubThreshold, $x );
+ }
+
+ public function setPreSaveTransform( $x ) {
+ return wfSetVar( $this->mPreSaveTransform, $x );
+ }
+
+ public function setIsPreview( $x ) {
+ return wfSetVar( $this->mIsPreview, $x );
+ }
+
+ public function setIsSectionPreview( $x ) {
+ return wfSetVar( $this->mIsSectionPreview, $x );
+ }
+
+ public function setIsPrintable( $x ) {
+ return wfSetVar( $this->mIsPrintable, $x );
+ }
+
+ /**
+ * @param bool|null Value to set or null to get current value
+ * @return bool Current value for allowUnsafeRawHtml
+ * @since 1.29
+ */
+ public function setAllowUnsafeRawHtml( $x ) {
+ return wfSetVar( $this->allowUnsafeRawHtml, $x );
+ }
+
+ /**
+ * Set the redirect target.
+ *
+ * Note that setting or changing this does not *make* the page a redirect
+ * or change its target, it merely records the information for reference
+ * during the parse.
+ *
+ * @since 1.24
+ * @param Title|null $title
+ */
+ function setRedirectTarget( $title ) {
+ $this->redirectTarget = $title;
+ }
+
+ /**
+ * Get the previously-set redirect target.
+ *
+ * @since 1.24
+ * @return Title|null
+ */
+ function getRedirectTarget() {
+ return $this->redirectTarget;
+ }
++>>>>>>> 51b871e... SECURITY: Disable <html> tag on system messages despite $wgRawHtml = true;
/**
* Extra key that should be present in the parser cache key.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4