Last modified: 2014-11-20 17:56:24 UTC
The wfMangleFlashPolicy() function in OutputHandler.php corrupts API output containing "<cross-domain-policy>" by replacing the string with "<NOT-cross-domain-policy>". https://www.mediawiki.org/w/api.php?action=query&format=json&titles=%3Ccross-domain-policy%3E https://en.wikipedia.org/w/index.php?title=User:PleaseStand/Sandbox&diff=540155307&oldid=540154194 In 2007, wfMangleFlashPolicy() was added in r19996. About a year later, Adobe addressed the vulnerability in Flash Player, and six years have since passed. According to Adobe's website, by default Flash Player 10 only allows crossdomain.xml at the root ("master-only" meta-policy). So it may be possible simply to remove the check, which already fails to work on many PHP configurations (e.g. output_buffering = 4096 from the sample php.ini files). There is also an "X-Permitted-Cross-Domain-Policies" header that can be sent. https://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.edu.html Alternatively, ApiFormatJson could be changed to hex-escape < and > (by removing the FormatJson::XMLMETA_OK flag), though that would do nothing to fix the other (deprecated?) non-XML output formats (e.g. PHP), action=raw, and so on.
If Chris is ok with killing wfMangleFlashPolicy(), IMO that'd be the best fix. Otherwise I'd rather add a more targeted mangling in ApiFormatJson instead of just removing the FormatJson::XMLMETA_OK flag.
I think I'd prefer to leave the option for mangling in, even if it's behind a feature flag. I'll try to test out a couple of scenarios to confirm exactly which versions of flash could be affected. TIL: the mangling doesn't happen for anyone who has output buffering enabled on their webserver (since ob_get_level will not be 0 in WebStart.php). So I would guess a lot of non-WMF wikis aren't even using it.
Created attachment 17162 [details] Patch to work around wfMangleFlashPolicy, if we're not going to just get rid of it
Change 174289 had a related patch set uploaded by CSteipp: Make calling wfMangleFlashPolicy configurable https://gerrit.wikimedia.org/r/174289
(In reply to Gerrit Notification Bot from comment #4) > Change 174289 had a related patch set uploaded by CSteipp: > Make calling wfMangleFlashPolicy configurable > > https://gerrit.wikimedia.org/r/174289 After this change, we'd want to adjust the includes/api/ApiFormatPhp.php bit in my patch to check the new global too (via $this->getConfig()). The ApiFormatJson part is fine to do unconditionally since the replacement there makes no functional difference.
Change 174289 merged by jenkins-bot: Make calling wfMangleFlashPolicy configurable https://gerrit.wikimedia.org/r/174289
Change 174496 had a related patch set uploaded by Anomie: API: Work around wfMangleFlashPolicy() https://gerrit.wikimedia.org/r/174496
Comment on attachment 17162 [details] Patch to work around wfMangleFlashPolicy, if we're not going to just get rid of it Because Chris was involved, for some reason I thought this was a security bug so I didn't put the patch in Gerrit. D'oh.
Change 174496 merged by jenkins-bot: API: Work around wfMangleFlashPolicy() https://gerrit.wikimedia.org/r/174496
