X-Git-Url: https://git.heureux-cyclage.org/?p=lhc%2Fweb%2Fwiklou.git;a=blobdiff_plain;f=includes%2Factions%2FRawAction.php;h=159e7081a4c00e49b653f599154f10f51c5c9342;hp=812f9623ff99db64a5a70fe46533c290bc9d2acd;hb=90232b6f36ee5a1473f2e865cc7a72d0014db4c7;hpb=9b00306abe57ff7b9f92728c664e60a29eb1791b

diff --git a/includes/actions/RawAction.php b/includes/actions/RawAction.php
index 812f9623ff..159e7081a4 100644
--- a/includes/actions/RawAction.php
+++ b/includes/actions/RawAction.php
@@ -26,6 +26,8 @@
  * @file
  */
 
+use MediaWiki\Logger\LoggerFactory;
+
 /**
  * A simple method to retrieve the plain source of an article,
  * using "action=raw" in the GET request string.
@@ -85,7 +87,6 @@ class RawAction extends FormlessAction {
 			$response->header( $this->getOutput()->getKeyHeader() );
 		}
 
-		$response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' );
 		// Output may contain user-specific data;
 		// vary generated content for open sessions on private wikis
 		$privateCache = !User::isEveryoneAllowed( 'read' ) &&
@@ -97,6 +98,33 @@ class RawAction extends FormlessAction {
 			'Cache-Control: ' . $mode . ', s-maxage=' . $smaxage . ', max-age=' . $maxage
 		);
 
+		// In the event of user JS, don't allow loading a user JS/CSS/Json
+		// subpage that has no registered user associated with, as
+		// someone could register the account and take control of the
+		// JS/CSS/Json page.
+		$title = $this->getTitle();
+		if ( $title->isUserConfigPage() && $contentType !== 'text/x-wiki' ) {
+			// not using getRootText() as we want this to work
+			// even if subpages are disabled.
+			$rootPage = strtok( $title->getText(), '/' );
+			$userFromTitle = User::newFromName( $rootPage, 'usable' );
+			if ( !$userFromTitle || $userFromTitle->getId() === 0 ) {
+				$log = LoggerFactory::getInstance( "security" );
+				$log->warning(
+					"Unsafe JS/CSS/Json load - {user} loaded {title} with {ctype}",
+					[
+						'user' => $this->getUser()->getName(),
+						'title' => $title->getPrefixedDBKey(),
+						'ctype' => $contentType,
+					]
+				);
+				$msg = wfMessage( 'unregistered-user-config' );
+				throw new HttpError( 403, $msg );
+			}
+		}
+
+		$response->header( 'Content-type: ' . $contentType . '; charset=UTF-8' );
+
 		$text = $this->getRawText();
 
 		// Don't return a 404 response for CSS or JavaScript;