SECURITY: Don't execute another user's CSS or JS on preview

Someone could theoretically try to hide malicious code in their user
common.js and then trick an admin into previewing it by asking for help.

Bug: T85855
Change-Id: I5a7a75306695859df5d848f6105b81bea0098f0a

diff --git a/includes/EditPage.php b/includes/EditPage.php
index a5994e7..e113426 100644 (file)
--- a/includes/EditPage.php
+++ b/includes/EditPage.php
@@ -2670,19 +2670,21 @@ class EditPage {
                                                array( 'userinvalidcssjstitle', $this->mTitle->getSkinFromCssJsSubpage() )
                                        );
                                }
-                               if ( $this->formtype !== 'preview' ) {
-                                       if ( $this->isCssSubpage && $wgAllowUserCss ) {
-                                               $wgOut->wrapWikiMsg(
-                                                       "<div id='mw-usercssyoucanpreview'>\n$1\n</div>",
-                                                       array( 'usercssyoucanpreview' )
-                                               );
-                                       }
+                               if ( $this->getTitle()->isSubpageOf( $wgUser->getUserPage() ) ) {
+                                       if ( $this->formtype !== 'preview' ) {
+                                               if ( $this->isCssSubpage && $wgAllowUserCss ) {
+                                                       $wgOut->wrapWikiMsg(
+                                                               "<div id='mw-usercssyoucanpreview'>\n$1\n</div>",
+                                                               array( 'usercssyoucanpreview' )
+                                                       );
+                                               }
 
-                                       if ( $this->isJsSubpage && $wgAllowUserJs ) {
-                                               $wgOut->wrapWikiMsg(
-                                                       "<div id='mw-userjsyoucanpreview'>\n$1\n</div>",
-                                                       array( 'userjsyoucanpreview' )
-                                               );
+                                               if ( $this->isJsSubpage && $wgAllowUserJs ) {
+                                                       $wgOut->wrapWikiMsg(
+                                                               "<div id='mw-userjsyoucanpreview'>\n$1\n</div>",
+                                                               array( 'userjsyoucanpreview' )
+                                                       );
+                                               }
                                        }
                                }
                        }

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index edeae0d..73d0cba 100644 (file)
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -3288,6 +3288,10 @@ class OutputPage extends ContextSource {
                if ( !$this->getTitle()->isJsSubpage() && !$this->getTitle()->isCssSubpage() ) {
                        return false;
                }
+               if ( !$this->getTitle()->isSubpageOf( $this->getUser()->getUserPage() ) ) {
+                       // Don't execute another user's CSS or JS on preview (T85855)
+                       return false;
+               }
 
                return !count( $this->getTitle()->getUserPermissionsErrors( 'edit', $this->getUser() ) );
        }