Last modified: 2014-09-08 15:04:17 UTC
To reproduce, navigate to the following URL: data:text/html,<iframe src="https://en.wikipedia.org/w/index.php?title=User:PleaseStand/Sandbox&oldid=610241510" width="800" height="600"></iframe> Rollback links are visible inside the iframe.
Thanks Kevin, that's definitely an issue. I'm not sure what our options are for checking the properties of transcluded pages, but that seems like something we should do. Adding Brad and Tim, in case they've thought through this already.
Created attachment 15487 [details] Copy prevent-clickjacking between OutputPage and ParserOutput I haven't thought this through yet. But it looks like we already have functions copying metadata back and forth between ParserOutput and OutputPage, so fixing it could easily go like this: 1. Have a 'mPreventClickjacking' flag in ParserOutput. 2. Have ParserOutput::addOutputPageMetadata() combine its flag with the one from the passed OutputPage. 3. Have OutputPage::addParserOutputNoText() do the same thing from the passed ParserOutput.
Created attachment 15894 [details] Copy prevent-clickjacking between OutputPage and ParserOutput I updated Brad's patch to take out the indentation change-- I'd like to make sure the security part is as small a change as possible. I'll submit an indentation change for all those once this is public.
Deployed, and PleaseStand's PoC no longer works. Sorry for delay in getting this out! 19:45 csteipp: deployed patch for bug65778
Created attachment 16082 [details] Backport for REL1_23 This backport was tested with data:text/html,<iframe src="http://localhost/REL1_23/core/index.php?title=Benutzer:WikiSysop" width="800" height="600"></iframe> Before the patch, the included special page was displayed. After the patch, the content of the iframe is blank (no errors). This is the same behavior as in master.
Created attachment 16083 [details] Backport to REL1_22 This backport was tested with data:text/html,<iframe src="http://localhost/REL1_22/core/index.php?title=Benutzer:WikiSysop" width="800" height="600"></iframe> Before the patch, the included special page was displayed. After the patch, the content of the iframe is blank (no errors). This is the same behavior as in master. Can someone please confirm the backport works as designed?
Created attachment 16084 [details] Backport to REL1_19 This backport was tested with data:text/html,<iframe src="http://localhost/REL1_19/core/index.php?title=Benutzer:WikiSysop" width="800" height="600"></iframe> Before the patch, the included special page was displayed. After the patch, the content of the iframe is blank (no errors). This is the same behavior as in master. Can someone please confirm the backport works as designed?
Adding early access for Wikia and Debian
Backports all seem to work fine. +2.
This was assigned CVE-2014-5243
So is there something left to do here, or is everything merged (RESOLVED FIXED)?
Looks like everything is merged to me. If I'm wrong, feel free to reopen.