HomePhorge
Diffusion mediawiki 975f5a60660d

SECURITY: Limit subpages displayed on Special:MovePage form
975f5a60660d
Actions

This commit no longer exists in the repository. It may have been part of a branch which was deleted.

Description

SECURITY: Limit subpages displayed on Special:MovePage form

CVE-2024-PENDING

Why:

  • Special:MovePage shows the list of subpages for the page provided before the user submits the form.
  • There is currently no limit on the number of subpages shown and as such loading the move page for a page with tens of thousands of subpages causes request timeouts when trying to generate the link HTML for each subpage.
  • Special:MovePage does not need to display all the subpages and can limit the list to wgMaximumMovedPages subpages as the user who submits the form would only move that many subpages if they specified to move these subpages.
  • A user wanting to find the full list can use Special:Prefix Index which provides paging.

What:

  • Provide a $limit to Title::getSubpages for both calls in SpecialMovePage::showSubpages. $limit is defined as $wgMaximumMovedPages plus 1, where the extra subpage is used to determine if the results were truncated similar to IndexPager.
  • Because i18n modifications in security patches are to be strongly avoided, hard code the message shown when the list of subpages is truncated. This should be replaced with an actual message key when this is publicly uploaded to Gerrit.

Bug: T357760
Change-Id: I78fa0b04d2bc82c8deffa2ed5433eb2563c17962

Details

Provenance
Dreamy JazzAuthored on Feb 18 2024, 11:13 PM
ReedyCommitted on Mar 28 2024, 9:54 PM

Event Timeline

Reedy <reedy@wikimedia.org> committed rMW975f5a60660d: SECURITY: Limit subpages displayed on Special:MovePage form (authored by Dreamy Jazz <wpgbrown@wikimedia.org>).Mar 28 2024, 9:54 PM

Commit No Longer Exists

This commit no longer exists in the repository.