wikimedia/mediawiki-extensions-TextExtracts
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/TextExtracts synced 2024-11-27 09:30:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Disallow extracts for non-wikitext for now.

Browse source 
Note that the sensitive information is still in the TextExtracts
memcached, so this requires security review (and either eviction
or a cache key change) before enabling other content models.

Bug: T107170
Change-Id: I57642e84db39d585c5b04453f86102b10fb69cdf
(cherry picked from commit 63b358fca2)
This commit is contained in:
Matthew Flaschen 2015-07-30 00:28:41 -04:00
parent ff000eb698
commit 9e524959ff
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
ApiQueryExtracts.php
View file

@ -23,6 +23,13 @@ class ApiQueryExtracts extends ApiQueryBase {
private $parserOptions;
private $params;
// TODO: Allow extensions to hook into this to opt-in.
// This is partly for security reasons; see T107170.
/**
* @var array
*/
private $supportedContentModels = array( 'wikitext' );
public function __construct( $query, $moduleName ) {
parent::__construct( $query, $moduleName, 'ex' );
}
@ -121,6 +128,12 @@ class ApiQueryExtracts extends ApiQueryBase {
*/
private function getExtract( Title $title ) {
wfProfileIn( __METHOD__ );
$contentModel = $title->getContentModel();
if ( !in_array( $contentModel, $this->supportedContentModels, true ) ) {
$this->setWarning( "{$title->getPrefixedDBkey()} has content model '$contentModel', which is not supported; returning an empty extract." );
return '';
}
$page = WikiPage::factory( $title );
$introOnly = $this->params['intro'];