From 4624b8a0d0629973dc3e2c8a6cb88d3e41f10293 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Fri, 16 Aug 2013 16:20:26 -0700
Subject: [PATCH] SECURITY: Prevent FPD on exceptions in load.php

Sanitize error messages in ResourceLoader if $wgShowExceptionDetails is
false.

Bug: 46332

Change-Id: Ia14ae21972192d291cb86dce65568e9e8b4674f7
---
 includes/resourceloader/ResourceLoader.php | 29 +++++++++++++++++-----
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/includes/resourceloader/ResourceLoader.php b/includes/resourceloader/ResourceLoader.php
index ebcdab33c1..ff3ea35b49 100644
--- a/includes/resourceloader/ResourceLoader.php
+++ b/includes/resourceloader/ResourceLoader.php
@@ -180,7 +180,7 @@ class ResourceLoader {
 			wfDebugLog( 'resourceloader', __METHOD__ . ": minification failed: $exception" );
 			$this->hasErrors = true;
 			// Return exception as a comment
-			$result = self::makeComment( $exception->__toString() );
+			$result = self::formatException( $exception );
 		}
 
 		wfProfileOut( __METHOD__ );
@@ -477,7 +477,7 @@ class ResourceLoader {
 			wfDebugLog( 'resourceloader', __METHOD__ . ": preloading module info failed: $e" );
 			$this->hasErrors = true;
 			// Add exception to the output as a comment
-			$errors .= self::makeComment( $e->__toString() );
+			$errors .= self::formatException( $e );
 		}
 
 		wfProfileIn( __METHOD__ . '-getModifiedTime' );
@@ -496,7 +496,7 @@ class ResourceLoader {
 				wfDebugLog( 'resourceloader', __METHOD__ . ": calculating maximum modified time failed: $e" );
 				$this->hasErrors = true;
 				// Add exception to the output as a comment
-				$errors .= self::makeComment( $e->__toString() );
+				$errors .= self::formatException( $e );
 			}
 		}
 
@@ -677,7 +677,8 @@ class ResourceLoader {
 	}
 
 	/**
-	 * Generate a CSS or JS comment block
+	 * Generate a CSS or JS comment block. Only use this for public data,
+	 * not error message details.
 	 *
 	 * @param $text string
 	 * @return string
@@ -687,6 +688,22 @@ class ResourceLoader {
 		return "/*\n$encText\n*/\n";
 	}
 
+	/**
+	 * Handle exception display
+	 *
+	 * @param Exception $e to be shown to the user
+	 * @return string sanitized text that can be returned to the user
+	 */
+	public static function formatException( $e ) {
+		global $wgShowExceptionDetails;
+
+		if ( $wgShowExceptionDetails ) {
+			return self::makeComment( $e->__toString() );
+		} else {
+			return self::makeComment( wfMessage( 'internalerror' )->text() );
+		}
+	}
+
 	/**
 	 * Generates code for a response
 	 *
@@ -713,7 +730,7 @@ class ResourceLoader {
 				wfDebugLog( 'resourceloader', __METHOD__ . ": pre-fetching blobs from MessageBlobStore failed: $e" );
 				$this->hasErrors = true;
 				// Add exception to the output as a comment
-				$exceptions .= self::makeComment( $e->__toString() );
+				$exceptions .= self::formatException( $e );
 			}
 		} else {
 			$blobs = array();
@@ -820,7 +837,7 @@ class ResourceLoader {
 				wfDebugLog( 'resourceloader', __METHOD__ . ": generating module package failed: $e" );
 				$this->hasErrors = true;
 				// Add exception to the output as a comment
-				$exceptions .= self::makeComment( $e->__toString() );
+				$exceptions .= self::formatException( $e );
 
 				// Register module as missing
 				$missing[] = $name;
-- 
2.20.1