Emojigit/afch-zhwp
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix security bug with whitelist

Browse Source 
Username wasn't sanitized before being used in the regex to check
the whitelist with, so a user named ... (literally three periods)
would be allowed to use the script as long as any user on the list
had a name three characters long. Thanks to MusikAnimal for pointing
this out.
This commit is contained in:
Daniel Glus 2018-07-23 23:56:57 -04:00
parent b9f3b76eee
commit 33d2176754
2 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/modules/core.js
View File

@ -101,8 +101,14 @@
var user = AFCH.consts.user,
whitelist = new AFCH.Page( AFCH.consts.whitelistTitle );
whitelist.getText().done( function ( text ) {
// sanitizedUser is user, but escaped for use in the regex.
// Otherwise a user named ... would always be able to use
// the script, so long as there was a user whose name was
// three characters long on the list!
var $howToDisable,
userAllowed = ( new RegExp( '\\|\\s*' + user + '\\s*}' ) ).test( text );
sanitizedUser = user.replace( /[\-\[\]\/\{\}\(\)\*\+\?\.\\\^\$\|]/g, '\\$&' ),
userAllowed = ( new RegExp( '\\|\\s*' + sanitizedUser + '\\s*}' ) ).test( text );
if ( !userAllowed ) {
@ -778,7 +784,7 @@
} );
}
appendText += ' ~~'+'~~'+'~\n';
appendText += ' ~~' + '~~' + '~\n';
logPage.edit( {
contents: appendText,

6
src/modules/submissions.js
View File

@ -1093,7 +1093,7 @@
// $1 = article name
// $2 = article class or '' if not available
'accepted-submission': '== Your submission at [[Wikipedia:Articles for creation|Articles for creation]]: ' +
'[[$1]] has been accepted ==\n{{subst:Afc talk|$1|class=$2|sig=~~'+'~~}}',
'[[$1]] has been accepted ==\n{{subst:Afc talk|$1|class=$2|sig=~~' + '~~}}',
// $1 = full submission title
// $2 = short title
@ -1110,9 +1110,9 @@
'comment-on-submission': '{{subst:AFC notification|comment|article=$1}}',
// $1 = article name
'g13-submission': '{{subst:Db-afc-notice|$1}} ~~'+'~~',
'g13-submission': '{{subst:Db-afc-notice|$1}} ~~' + '~~',
'teahouse-invite': '{{subst:Wikipedia:Teahouse/AFC invitation|sign=~~'+'~~}}'
'teahouse-invite': '{{subst:Wikipedia:Teahouse/AFC invitation|sign=~~' + '~~}}'
} );
}