Page MenuHomePhabricator
Files F10578667

0001-T178451-REL1_27.patch
Reedy (Sam Reed)
Actions

Authored By
Reedy
Nov 2 2017, 11:57 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-T178451-REL1_27.patch
View Options

From 9349305a3599a9867da5742e8948735d39c3b9d6 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 18 Oct 2017 05:28:43 +0000
Subject: [PATCH 1/2] SECURITY: Escape internal error message
This message contains the request url, which is semi-user controlled.
Most browsers percent escape < and > so its probably not exploitable
(curl is an exception here), but nonetheless its not good.
Bug: T178451
Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
---
RELEASE-NOTES-1.27 | 2 ++
includes/exception/MWException.php | 16 +++++++++-------
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 354462b7c3..44855723d0 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -17,6 +17,8 @@ This not a release yet!
* (T175439) Unbreak Postgres Updater when setting defaults for a column.
* (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
* (T142304) Allow putting the app ID in the password for bot passwords.
+* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser
+ sends non-standard url escaping.
== MediaWiki 1.27.3 ==
Due to a packaging error, the wrong version of the SyntaxHighlight extension was
diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php
index bebd91580f..dcb38b23a7 100644
--- a/includes/exception/MWException.php
+++ b/includes/exception/MWException.php
@@ -144,13 +144,15 @@ class MWException extends Exception {
$logId = WebRequest::getRequestId();
$type = get_class( $this );
return "<div class=\"errorbox\">" .
- '[' . $logId . '] ' .
- gmdate( 'Y-m-d H:i:s' ) . ": " .
- $this->msg( "internalerror-fatal-exception",
- "Fatal exception of type $1",
- $type,
- $logId,
- MWExceptionHandler::getURL( $this )
+ htmlspecialchars(
+ '[' . $logId . '] ' .
+ gmdate( 'Y-m-d H:i:s' ) . ": " .
+ $this->msg( "internalerror-fatal-exception",
+ "Fatal exception of type $1",
+ $type,
+ $logId,
+ MWExceptionHandler::getURL( $this )
+ )
) . "</div>\n" .
"<!-- Set \$wgShowExceptionDetails = true; " .
"at the bottom of LocalSettings.php to show detailed " .
--
2.14.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5059472
Default Alt Text
0001-T178451-REL1_27.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL