Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F36913408
T331192.patch
Dreamy_Jazz (WBrown (WMF))
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Dreamy_Jazz
Mar 15 2023, 7:42 PM
2023-03-15 19:42:23 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T331192.patch
View Options
From 190f8e079c453fb94689753ae7dfbe96271771cf Mon Sep 17 00:00:00 2001
From: Dreamy Jazz <dreamyjazzwikipedia@gmail.com>
Date: Wed, 15 Mar 2023 19:25:20 +0000
Subject: [PATCH] Escape HTML in the user text for the checkbox in get users
Escape any HTML in the user text provided to the mustache template.
This is needed because any double quote characters (i.e. '"') will
cause the "value" attribute for the checkbox to be ended early. By
doing this it makes blocking the account using the block form that
is shown under the results impossible, but also could allow HTML
injection into the input tag. Injection of other elements should
not be possible unless $wgInvalidUsernameCharacters was modified
to remove the ">" character.
Bug: T331192
Change-Id: If38d0ffbfed795c2f2206a09aa65fb16d6a9d030
---
templates/GetUsersLine.mustache | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/templates/GetUsersLine.mustache b/templates/GetUsersLine.mustache
index d7f32af6..ed255067 100644
--- a/templates/GetUsersLine.mustache
+++ b/templates/GetUsersLine.mustache
@@ -1,6 +1,6 @@
<li>
{{#canPerformBlocks}}
- <input type="checkbox" name="users[]" value="{{{userText}}}"/>
+ <input type="checkbox" name="users[]" value="{{userText}}"/>
{{/canPerformBlocks}}
<span class="mw-checkuser-user-link{{#userLinkClass}} {{userLinkClass}}{{/userLinkClass}}">
{{{userLink}}}
--
2.25.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10774307
Default Alt Text
T331192.patch (1 KB)
Attached To
Mode
T331192: CVE-2023-29135: CheckUser 'get users' form vulnerable to HTML injection through usernames
Attached
Detach File
Event Timeline
Log In to Comment