Page MenuHomePhabricator

0001-SECURITY-XSS-in-unclosed-internal-links.patch

Authored By
Bawolff
Jun 8 2016, 2:41 AM
Size
1 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-XSS-in-unclosed-internal-links.patch

From 28a901823025d3ed1413a0b000869ca0f526a617 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Tue, 7 Jun 2016 22:35:15 -0400
Subject: [PATCH] SECURITY: XSS in unclosed internal links
rawurldecode was being run on unclosed internal links
which could allow an attacker to insert arbitrary
html into the page.
See also related: r13302
Bug: T137264
Change-Id: I4e112a9e918df9fe78b62c311939239b483a21f5
---
includes/parser/Parser.php | 2 +-
tests/parser/parserTests.txt | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 116b274..13ff648 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -2165,7 +2165,7 @@ class Parser {
$might_be_img = true;
$text = $m[2];
if ( strpos( $m[1], '%' ) !== false ) {
- $m[1] = rawurldecode( $m[1] );
+ $m[1] = str_replace( [ '<', '>' ], [ '&lt;', '&gt;' ], rawurldecode( $m[1] ) );
}
$trail = "";
} else { # Invalid form; output directly
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index 6c3841d..501e77f 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -26932,3 +26932,12 @@ Empty LI (T49673)
<li>b</li>
</ul>
!! end
+
+!! test
+unclosed internal link XSS (T137264)
+!! wikitext
+[[#%3Cscript%3Ealert(1)%3C/script%3E|
+!! html
+<p>[[#&lt;script&gt;alert(1)&lt;/script&gt;|
+</p>
+!! end
--
2.0.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3784481
Default Alt Text
0001-SECURITY-XSS-in-unclosed-internal-links.patch (1 KB)

Event Timeline