name and behaviour change of wgRSSAllowedFeeds towgRSSUrlWhitelist. The wgRSSUrlWhitelist is _now_ empty by default which was not the case until this version. Admins who want to allow their users to insert arbitrary feed urls must now denote this expressly with an asterisk in quotes as whitelist array element. This is harmonised to the same method as recently introduced in E:EtherpadLite. The RELEASE NOTES file has been updated, updates to the MediaWiki manual page will follow soon.

https://mediawiki.org/wiki/Special:Code/MediaWiki/112243

RELEASE-NOTES

@@ -13,6 +13,21 @@ http://www.mediawiki.org/wiki/Extension:RSS
 * bug 30028 "Error parsing XML for RSS" - improve and harden Extension:RSS when
   parsing differently flavoured RSS feeds
 
+=== Version 1.94 2012-02-23 ===
+* changed white list definition and behaviour:
+
+  1. changed the name from $wgRSSAllowedFeeds to $wgRSSUrlWhitelist
+  2. behaviour has been changed
+
+  the new behaviour is:
+  $wgRSSUrlWhitelist is empty by default. Since version 1.94 it must be 
+  expressly set to an array( list-of-comma-separated-allowed-RSS-urls-strings )
+  or set to array( "*" ) if you want to allow any url
+
+  the old behaviour was:
+  $wgRSSAllowedFeeds was empty by default and empty meant that every Url
+  was allowed by default. This has been changed, see new behaviour.
+
 === Version 1.92 2012-02-13 ===
 * added optional date= attribute and $wgRSSDateDefaultFormat parameter
 * added optional item-max-length= attribute and $wgRSSItemMaxLength parameter

RSS.i18n.php

@@ -20,7 +20,8 @@ $messages['en'] = array(
 	'rss-invalid-url' => 'Not a valid URL: $1',
 	'rss-parse-error' => 'Error parsing XML for RSS',
 	'rss-ns-permission' => 'RSS is not allowed in this namespace',
-	'rss-url-permission' => 'This URL is not allowed to be included',
+	'rss-url-is-not-whitelisted' => '"$1" is not in the whitelist of allowed feeds. {{PLURAL:$3|$2 is the only allowed feed|The allowed feeds are as follows: $2}}.',
+	'rss-empty-whitelist' => '"$1" is not in the whitelist of allowed feeds. There are no allowed feed URLs in the whitelist.',
 	'rss-item' => '{{$1 | title = {{{title}}} | link = {{{link}}} | date = {{{date}}} | author = {{{author}}} | description = {{{description}}} }}',
  	'rss-feed' => "<!--  the following are two alternative templates. The first is the basic default template for feeds -->; '''<span class='plainlinks'>[{{{link}}} {{{title}}}]</span>'''
 : {{{description}}}
@@ -33,6 +34,7 @@ $messages['en'] = array(
  */
 $messages['qqq'] = array(
 	'rss-invalid-url' => '$1 is the invalid URL for the RSS feed',
+	'etherpadlite-url-is-not-whitelisted' => "Error if url isn't in list of allowed urls. $1 is name of url specified by user, $2 is a comma separated list of allowed urls, $3 is the number of urls in the allowed list",
 	'rss-feed' => "; $1
 : ''not to be localised''
 : The RSS extension substitutes this placeholder with the name of a template page. The content of this template page determines the final layout of the RSS feed on the rendered wiki page. The Extension:RSS currently uses 'MediaWiki:Rss-feed' as default for $1. This means that the content of [[MediaWiki:Rss-feed]] determines how RSS feed items are rendered.

RSS.php

@@ -4,7 +4,7 @@
  *
  * @file
  * @ingroup Extensions
- * @version 1.93
+ * @version 1.94
  * @author mutante, Daniel Kinzler, Rdb, Mafs, Thomas Gries, Alxndr, Chris Reigrut, K001
  * @author Kellan Elliott-McCrea <kellan@protest.net> -- author of MagpieRSS
  * @author Jeroen De Dauw
@@ -14,6 +14,8 @@
  * @link http://www.mediawiki.org/wiki/Extension:RSS Documentation
  */
 
+define( "EXTENSION_RSS_VERSION", "1.94 20120223" );
+
 if ( !defined( 'MEDIAWIKI' ) ) {
 	die( "This is not a valid entry point.\n" );
 }
@@ -26,7 +28,7 @@ $wgExtensionCredits['parserhook'][] = array(
 		'Rdb', 'Mafs', 'Alxndr', 'Thomas Gries', 'Chris Reigrut',
 		'K001', 'Jack Phoenix', 'Jeroen De Dauw', 'Mark A. Hershberger'
 	),
-	'version' => '1.93 20120218',
+	'version' => EXTENSION_RSS_VERSION,
 	'url' => 'https://www.mediawiki.org/wiki/Extension:RSS',
 	'descriptionmsg' => 'rss-desc',
 );
@@ -36,12 +38,13 @@ $dir = dirname( __FILE__ ) . '/';
 $wgExtensionMessagesFiles['RSS'] = $dir . 'RSS.i18n.php';
 $wgAutoloadClasses['RSSHooks'] = $dir . 'RSSHooks.php';
 $wgAutoloadClasses['RSSParser'] = $dir . 'RSSParser.php';
+$wgAutoloadClasses['RSSUtils'] = $dir . 'RSSParser.php';
 $wgAutoloadClasses['RSSData'] = $dir . 'RSSData.php';
 
 $wgHooks['ParserFirstCallInit'][] = 'RSSHooks::parserInit';
 
- // one hour
- $wgRSSCacheAge = 3600;
+// one hour
+$wgRSSCacheAge = 3600;
 
 // Check cached content, if available, against remote.
 // $wgRSSCacheCompare should be set to false or a timeout
@@ -55,13 +58,26 @@ $wgRSSFetchTimeout = 5;
 // null (the default) means the <rss> tag can be used anywhere.
 $wgRSSNamespaces = null;
 
-// URL whitelist of RSS Feeds:
-// if there are items in the array, and the used URL isn't in the array,
-// it will not be allowed (originally proposed in bug 27768)
-$wgRSSAllowedFeeds = array();
+// Whitelist of allowed RSS Urls
+//
+// If there are items in the array, and the user supplied URL is not in the array,
+// the url will not be allowed
+//
+// Urls are case-sensitively tested against values in the array. 
+// They must exactly match including any trailing "/" character.
+//
+// Warning: Allowing all urls (not setting a whitelist)
+// may be a security concern.
+//
+// an empty or non-existent array means: no whitelist defined
+// this is the default: an empty whitelist. No servers are allowed by default.
+$wgRSSUrlWhitelist = array();
+
+// include "*" if you expressly want to allow all urls (you should not do this)
+// $wgRSSUrlWhitelist = array( "*" );
 
 // Agent to use for fetching feeds
-$wgRSSUserAgent = 'MediaWikiRSS/0.02 (+http://www.mediawiki.org/wiki/Extension:RSS) / MediaWiki RSS extension';
+$wgRSSUserAgent = "MediaWikiRSS/" . strtok( EXTENSION_RSS_VERSION, " " ) . " (+http://www.mediawiki.org/wiki/Extension:RSS) / MediaWiki RSS extension";
 
 // Proxy server to use for fetching feeds
 $wgRSSProxy = false;

RSSHooks.php

@@ -1,6 +1,7 @@
 <?php
 
 class RSSHooks {
+
 	/**
 	 * Tell the parser how to handle <rss> elements
 	 * @param $parser Parser Object
@@ -20,7 +21,7 @@ class RSSHooks {
 	 * @param $frame PPFrame parser context
 	 */
 	static function renderRss( $input, $args, $parser, $frame ) {
-		global $wgRSSCacheAge, $wgRSSCacheCompare, $wgRSSNamespaces, $wgRSSAllowedFeeds;
+		global $wgRSSCacheAge, $wgRSSCacheCompare, $wgRSSNamespaces, $wgRSSUrlWhitelist;
 
 		if ( is_array( $wgRSSNamespaces ) && count( $wgRSSNamespaces ) ) {
 			$ns = $parser->getTitle()->getNamespace();
@@ -31,10 +32,32 @@ class RSSHooks {
 			}
 		}
 
-		if ( count( $wgRSSAllowedFeeds ) && !in_array( $input, $wgRSSAllowedFeeds ) ) {
-			return wfMsg( 'rss-url-permission' );
-		}
+		switch ( true ) {
+	
+		# disallow because there is no whitelist or emtpy whitelist
+		case ( !isset( $wgRSSUrlWhitelist ) 
+			|| !is_array( $wgRSSUrlWhitelist )
+			|| ( count( $wgRSSUrlWhitelist ) === 0 ) ):
+			return RSSUtils::RSSError( 'rss-empty-whitelist',
+				$input
+			);
+			break;
 
+		# allow
+		case ( in_array( "*", $wgRSSUrlWhitelist ) ):
+		case ( in_array( $input, $wgRSSUrlWhitelist ) ):
+			break;
+
+		# otherwise disallow
+		case ( !in_array( $input, $wgRSSUrlWhitelist ) ):
+		default:
+			$listOfAllowed = $parser->getFunctionLang()->listToText( $wgRSSUrlWhitelist );
+			$numberAllowed = $parser->getFunctionLang()->formatNum( count( $wgRSSUrlWhitelist ) );
+			return RSSUtils::RSSError( 'rss-url-is-not-whitelisted',
+				array( $input, $listOfAllowed, $numberAllowed )
+			);
+		}
+		
 		if ( !Http::isValidURI( $input ) ) {
 			return wfMsg( 'rss-invalid-url', htmlspecialchars( $input ) );
 		}
@@ -61,4 +84,5 @@ class RSSHooks {
 
 		return $rss->renderFeed( $parser, $frame );
 	}
+	
 }

RSSParser.php

@@ -230,11 +230,33 @@ class RSSParser {
 			$headers['If-Modified-Since'] = $lm;
 		}
 
-		$client = HttpRequest::factory( $this->url, array( 
-			'timeout' => $wgRSSFetchTimeout,
-			'proxy' => $wgRSSProxy
+		/**
+		 * 'noProxy' can conditionally be set as shown in the commented
+		 * example below; in HttpRequest 'noProxy' takes precedence over
+		 * any value of 'proxy' and disables the use of a proxy.
+		 *
+		 * This is useful if you run the wiki in an intranet and need to
+		 * access external feed urls through a proxy but internal feed
+		 * urls must be accessed without a proxy. 
+		 *
+		 * The general handling of such cases will be subject of a
+		 * forthcoming version.
+		 */
+
+ 		$url = $this->url;
+		$noProxy = false;
+		
+		// Example for disabling proxy use for certain urls
+		// $noProxy = preg_match( '!\.internal\.example\.com$!i', parse_url( $url, PHP_URL_HOST ) );
+		
+		$client = HttpRequest::factory( $url,
+			array( 
+				'timeout' => $wgRSSFetchTimeout,
+				'proxy'   => $wgRSSProxy,
+				'noProxy' => $noProxy,
+			) 
+		);
 
-		) );
 		$client->setUserAgent( $wgRSSUserAgent );
 		foreach ( $headers as $header => $value ) {
 			$client->setHeader( $header, $value );
@@ -524,3 +546,25 @@ class RSSHighlighter {
 		return sprintf( $styleStart, $bgcolor[$index], $color[$index] ) . $match[0] . $styleEnd;
 	}
 }
+
+class RSSUtils {
+
+	/**
+	* Output an error message, all wraped up nicely.
+	* @param String $errorMessageName The system message that this error is
+	* @param String|Array $param Error parameter (or parameters)
+	* @return String Html that is the error.
+	*/
+	public static function RSSError( $errorMessageName, $param ) {
+
+		// Anything from a parser tag should use Content lang for message,
+		// since the cache doesn't vary by user language: do not use wfMsgForContent but wfMsgForContent
+		// The ->parse() part makes everything safe from an escaping standpoint.
+
+		return Html::rawElement( 'span', array( 'class' => 'error' ),
+			"Extension:RSS -- Error: " . wfMessage( $errorMessageName )->inContentLanguage()->params( $param )->parse()
+		);
+
+	}
+
+}