Remove Flash cross-domain policy mangling

Remove Flash cross-domain policy mangling. Users who are somehow still
using Flash as a browser extension will be exposed to CSRF
vulnerabilities.

Deprecate the config since deprecation has some advantages in the new
config system over simple removal.

Bug: T279496
Change-Id: I2c0e85a430d7e6aaf8d5decd00cf1dade04cebe1

8 files changed, 11 insertions, 60 deletions

diff --git a/includes/MainConfigNames.php b/includes/MainConfigNames.php
index 9b4e073c0ac8..e3b3d61f2665 100644
--- a/includes/MainConfigNames.php
+++ b/includes/MainConfigNames.php
@@ -2033,6 +2033,7 @@ class MainConfigNames {
 	/**
 	 * Name constant for the MangleFlashPolicy setting, for use with Config::get()
 	 * @see MainConfigSchema::MangleFlashPolicy
+	 * @deprecated since 1.39; no longer has any effect
 	 */
 	public const MangleFlashPolicy = 'MangleFlashPolicy';
 
diff --git a/includes/MainConfigSchema.php b/includes/MainConfigSchema.php
index 2f371452a6f3..c5bb332de3bb 100644
--- a/includes/MainConfigSchema.php
+++ b/includes/MainConfigSchema.php
@@ -5245,15 +5245,15 @@ class MainConfigSchema {
 	/** @name   ResourceLoader settings */
 
 	/**
-	 * When OutputHandler is used, mangle any output that contains
-	 * <cross-domain-policy>. Without this, an attacker can send their own
-	 * cross-domain policy unless it is prevented by the crossdomain.xml file at
-	 * the domain root.
+	 * Formerly a workaround for a security vulnerability caused by installation
+	 * of Flash as a browser extension.
 	 *
 	 * @since 1.25
+	 * @deprecated since 1.39
 	 */
 	public const MangleFlashPolicy = [
 		'default' => true,
+		'deprecated' => 'since 1.39; no longer has any effect',
 	];
 
 	/**
diff --git a/includes/OutputHandler.php b/includes/OutputHandler.php
index 0559597d590b..28108f658330 100644
--- a/includes/OutputHandler.php
+++ b/includes/OutputHandler.php
@@ -41,7 +41,6 @@ class OutputHandler {
 	public static function handle( $s, $phase ) {
 		$config = MediaWikiServices::getInstance()->getMainConfig();
 		$disableOutputCompression = $config->get( MainConfigNames::DisableOutputCompression );
-		$mangleFlashPolicy = $config->get( MainConfigNames::MangleFlashPolicy );
 		// Don't send headers if output is being discarded (T278579)
 		if ( ( $phase & PHP_OUTPUT_HANDLER_CLEAN ) === PHP_OUTPUT_HANDLER_CLEAN ) {
 			$logger = LoggerFactory::getInstance( 'output' );
@@ -53,10 +52,6 @@ class OutputHandler {
 			return $s;
 		}
 
-		if ( $mangleFlashPolicy ) {
-			$s = self::mangleFlashPolicy( $s );
-		}
-
 		// Check if a compression output buffer is already enabled via php.ini. Such
 		// buffers exists at the start of the request and are reflected by ob_get_level().
 		$phpHandlesCompression = (
@@ -181,21 +176,6 @@ class OutputHandler {
 	}
 
 	/**
-	 * Mangle flash policy tags which open up the site to XSS attacks.
-	 *
-	 * @param string $s Web response output
-	 * @return string
-	 */
-	private static function mangleFlashPolicy( $s ) {
-		# Avoid weird excessive memory usage in PCRE on big articles
-		if ( preg_match( '/\<\s*cross-domain-policy(?=\s|\>)/i', $s ) ) {
-			return preg_replace( '/\<(\s*)(cross-domain-policy(?=\s|\>))/i', '<$1NOT-$2', $s );
-		} else {
-			return $s;
-		}
-	}
-
-	/**
 	 * Set the Content-Length header if possible
 	 *
 	 * This sets Content-Length for the following cases:
diff --git a/includes/api/ApiFormatBase.php b/includes/api/ApiFormatBase.php
index 7716997e50e3..89ff900b55bb 100644
--- a/includes/api/ApiFormatBase.php
+++ b/includes/api/ApiFormatBase.php
@@ -303,7 +303,7 @@ abstract class ApiFormatBase extends ApiBase {
 			if ( $this->getIsWrappedHtml() ) {
 				// This is a special output mode mainly intended for ApiSandbox use
 				$time = $this->getMain()->getRequest()->getElapsedTime();
-				$json = FormatJson::encode(
+				echo FormatJson::encode(
 					[
 						'status' => (int)( $this->mHttpStatus ?: 200 ),
 						'statustext' => HttpStatus::getMessage( $this->mHttpStatus ?: 200 ),
@@ -317,17 +317,6 @@ abstract class ApiFormatBase extends ApiBase {
 					],
 					false, FormatJson::ALL_OK
 				);
-
-				// T68776: OutputHandler::mangleFlashPolicy() avoids a nasty bug in
-				// Flash, but what it does isn't friendly for the API, so we need to
-				// work around it.
-				if ( preg_match( '/\<\s*cross-domain-policy\s*\>/i', $json ) ) {
-					$json = preg_replace(
-						'/\<(\s*cross-domain-policy\s*)\>/i', '\\u003C$1\\u003E', $json
-					);
-				}
-
-				echo $json;
 			} else {
 				// API handles its own clickjacking protection.
 				// Note, that $wgBreakFrames will still override $wgApiFrameOptions for format mode.
diff --git a/includes/api/ApiFormatJson.php b/includes/api/ApiFormatJson.php
index 7e4da5a5a7d7..3c2672c58174 100644
--- a/includes/api/ApiFormatJson.php
+++ b/includes/api/ApiFormatJson.php
@@ -98,15 +98,6 @@ class ApiFormatJson extends ApiFormatBase {
 			// @codeCoverageIgnoreEnd
 		}
 
-		// T68776: OutputHandler::mangleFlashPolicy() avoids a nasty bug in
-		// Flash, but what it does isn't friendly for the API, so we need to
-		// work around it.
-		if ( preg_match( '/\<\s*cross-domain-policy(?=\s|\>)/i', $json ) ) {
-			$json = preg_replace(
-				'/\<(\s*cross-domain-policy(?=\s|\>))/i', '\\u003C$1', $json
-			);
-		}
-
 		if ( isset( $params['callback'] ) ) {
 			$callback = preg_replace( "/[^][.\\'\\\"_A-Za-z0-9]/", '', $params['callback'] );
 			# Prepend a comment to try to avoid attacks against content
diff --git a/includes/api/ApiFormatPhp.php b/includes/api/ApiFormatPhp.php
index a87fbd2ffcbc..e90448536e21 100644
--- a/includes/api/ApiFormatPhp.php
+++ b/includes/api/ApiFormatPhp.php
@@ -20,7 +20,6 @@
  * @file
  */
 
-use MediaWiki\MainConfigNames;
 use Wikimedia\ParamValidator\ParamValidator;
 
 /**
@@ -57,20 +56,7 @@ class ApiFormatPhp extends ApiFormatBase {
 				// Should have been caught during parameter validation
 				$this->dieDebug( __METHOD__, 'Unknown value for \'formatversion\'' );
 		}
-		$text = serialize( $this->getResult()->getResultData( null, $transforms ) );
-
-		// T68776: OutputHandler::mangleFlashPolicy() avoids a nasty bug in
-		// Flash, but what it does isn't friendly for the API. There's nothing
-		// we can do here that isn't actively broken in some manner, so let's
-		// just be broken in a useful manner.
-		if ( $this->getConfig()->get( MainConfigNames::MangleFlashPolicy ) &&
-			in_array( 'MediaWiki\\OutputHandler::handle', ob_list_handlers(), true ) &&
-			preg_match( '/\<\s*cross-domain-policy(?=\s|\>)/i', $text )
-		) {
-			$this->dieWithError( 'apierror-formatphp', 'internalerror' );
-		}
-
-		$this->printText( $text );
+		$this->printText( serialize( $this->getResult()->getResultData( null, $transforms ) ) );
 	}
 
 	public function getAllowedParams() {
diff --git a/includes/config-schema.php b/includes/config-schema.php
index ec72506e3e9d..31fbead53527 100644
--- a/includes/config-schema.php
+++ b/includes/config-schema.php
@@ -3142,6 +3142,9 @@ return [
 				'type' => 'string',
 			],
 		],
+		'MangleFlashPolicy' => [
+			'deprecated' => 'since 1.39; no longer has any effect',
+		],
 		'AllowImageTag' => [
 			'deprecated' => 'since 1.35; register an extension tag named <img> instead.',
 		],
diff --git a/includes/config-vars.php b/includes/config-vars.php
index 3d9637281c6f..4b82bf371a2a 100644
--- a/includes/config-vars.php
+++ b/includes/config-vars.php
@@ -2017,6 +2017,7 @@ $wgEnableCanonicalServerLink = null;
 /**
  * Config variable stub for the MangleFlashPolicy setting, for use by phpdoc and IDEs.
  * @see MediaWiki\MainConfigSchema::MangleFlashPolicy
+ * @deprecated since 1.39; no longer has any effect
  */
 $wgMangleFlashPolicy = null;