mirror of
https://gerrit.wikimedia.org/r/mediawiki/extensions/Math
synced 2024-12-18 02:20:46 +00:00
6a0af8f3b4
The user input specified in the math tag a. la <math>E=m <script>alert('attacked')</script>^2 </math> is verified in PNG rendering mode, but not in plaintext, MathJax or LaTeXML rendering mode. This is a potential security issue. Furthermore, the texvc specific commands such as $\reals$ that is expanded to $\mathbb{R}$ might be rendered differently depended on the rendering mode. Therefore, the security checking and rewriting portion of texvc have been extracted from the texvc source (see I1650e6ec2ccefff6335fbc36bbe8ca8f59db0faa) and are now available as a separate executable (texvccheck). This commit will now enable this enhancement in security and provide even more compatibility among the different rendering modes. Bug: 49169 Change-Id: Ida24b6bf339508753bed40d2e218c4a5b7fe7d0c
91 lines
2.4 KiB
PHP
91 lines
2.4 KiB
PHP
<?php
|
|
/**
|
|
* MediaWiki math extension
|
|
*
|
|
* (c) 2002-2013 Tomasz Wegrzanowski, Brion Vibber, Moritz Schubotz, and other MediaWiki contributors
|
|
* GPLv2 license; info in main package.
|
|
*
|
|
* @author Moritz Schubotz
|
|
*/
|
|
class MathInputCheckTexvc extends MathInputCheck {
|
|
|
|
/**
|
|
* Converts an error returned by texvc to a localized exception
|
|
*
|
|
* @param string $texvcResult error result returned by texvc
|
|
*/
|
|
public function convertTexvcError( $texvcResult, $errorRenderer = false ) {
|
|
$texvcStatus = substr( $texvcResult, 0, 1 );
|
|
$errDetails = htmlspecialchars( substr( $texvcResult, 1 ) );
|
|
|
|
if ( $errorRenderer === false ) {
|
|
$errorRenderer = new MathSource( $this->inputTeX );
|
|
}
|
|
|
|
switch ($texvcStatus) {
|
|
case 'E':
|
|
$errMsg = $errorRenderer->getError( 'math_lexing_error' );
|
|
break;
|
|
case 'S':
|
|
$errMsg = $errorRenderer->getError( 'math_syntax_error' );
|
|
break;
|
|
case 'F':
|
|
$errMsg = $errorRenderer->getError( 'math_unknown_function', $errDetails );
|
|
break;
|
|
default:
|
|
$errMsg = $errorRenderer->getError( 'math_unknown_error' );
|
|
}
|
|
|
|
return $errMsg;
|
|
}
|
|
|
|
/**
|
|
*
|
|
* @global type $wgTexvc
|
|
* @return boolean
|
|
*/
|
|
public function isValid() {
|
|
global $wgMathTexvcCheckExecutable;
|
|
if ( !is_executable( $wgMathTexvcCheckExecutable ) ) {
|
|
$msg = wfMessage( 'math_notexvc' )->inContentLanguage()->escaped();
|
|
trigger_error( $msg, E_USER_NOTICE );
|
|
wfDebugLog( 'Math', $msg );
|
|
return true;
|
|
}
|
|
|
|
$cmd = $wgMathTexvcCheckExecutable . ' ' . wfEscapeShellArg( $this->inputTeX );
|
|
|
|
if ( wfIsWindows() ) {
|
|
# Invoke it within cygwin sh, because texvc expects sh features in its default shell
|
|
$cmd = 'sh -c ' . wfEscapeShellArg($cmd);
|
|
}
|
|
|
|
wfDebugLog( 'Math', "TeX check command: $cmd\n" );
|
|
$contents = wfShellExec( $cmd );
|
|
wfDebugLog( 'Math', "TeX check result:\n $contents\n---\n" );
|
|
|
|
if ( strlen($contents) === 0 ) {
|
|
wfDebugLog( 'Math', "TeX check output was empty. \n" );
|
|
$this->lastError = MathRenderer::getError( 'math_unknown_error' );
|
|
|
|
return false;
|
|
}
|
|
|
|
$retval = substr( $contents, 0, 1 );
|
|
|
|
if ( $retval !== '+' ) {
|
|
$this->lastError = $this->convertTexvcError( $contents );
|
|
wfDebugLog( 'Math', 'checkTex failed:' . $this->lastError );
|
|
|
|
return false;
|
|
} else {
|
|
$this->validTeX = substr( $contents, 1 );
|
|
$this->isSecure = true;
|
|
wfDebugLog( 'Math', 'checkTex successful tex is now: ' . $this->validTeX );
|
|
|
|
return true;
|
|
}
|
|
}
|
|
|
|
}
|