X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Factions%2FRawAction.php;h=77a8b14e2c2c04a04e8e3df3528678ddef2d385e;hb=93350da7f1ab397b87c3ac3073ddfc1c857b272e;hp=b5a6d3ac25984f5c3c3a7d341207fe78876c8baf;hpb=6871d732a1614f6d3272478e0e02c353c0b10e46;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index b5a6d3ac25..77a8b14e2c 100644
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -129,6 +129,30 @@ class RawAction extends FormlessAction {
 			}
 		}
 
+		// Don't allow loading non-protected pages as javascript.
+		// In future we may further restrict this to only CONTENT_MODEL_JAVASCRIPT
+		// in NS_MEDIAWIKI or NS_USER, as well as including other config types,
+		// but for now be more permissive. Allowing protected pages outside of
+		// NS_USER and NS_MEDIAWIKI in particular should be considered a temporary
+		// allowance.
+		if (
+			$contentType === 'text/javascript' &&
+			!$title->isUserJsConfigPage() &&
+			!$title->inNamespace( NS_MEDIAWIKI ) &&
+			!in_array( 'sysop', $title->getRestrictions( 'edit' ) ) &&
+			!in_array( 'editprotected', $title->getRestrictions( 'edit' ) )
+		) {
+
+			$log = LoggerFactory::getInstance( "security" );
+			$log->info( "Blocked loading unprotected JS {title} for {user}",
+				[
+					'user' => $this->getUser()->getName(),
+					'title' => $title->getPrefixedDBKey(),
+				]
+			);
+			throw new HttpError( 403, wfMessage( 'unprotected-js' ) );
+		}
+
 		$response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' );
 
 		$text = $this->getRawText();