0001-SECURITY-XSS-in-unclosed-internal-links.patch
No One
Actions

Authored By

	Bawolff
	Jun 8 2016, 2:41 AM

Size

1 KB

Referenced Files

None

Subscribers

None

0001-SECURITY-XSS-in-unclosed-internal-links.patch
View Options

	From 28a901823025d3ed1413a0b000869ca0f526a617 Mon Sep 17 00:00:00 2001
	From: Brian Wolff <bawolff+wn@gmail.com>
	Date: Tue, 7 Jun 2016 22:35:15 -0400
	Subject: [PATCH] SECURITY: XSS in unclosed internal links

	rawurldecode was being run on unclosed internal links
	which could allow an attacker to insert arbitrary
	html into the page.

	See also related: r13302

	Bug: T137264
	Change-Id: I4e112a9e918df9fe78b62c311939239b483a21f5
	---
	includes/parser/Parser.php \| 2 +-
	tests/parser/parserTests.txt \| 9 +++++++++
	2 files changed, 10 insertions(+), 1 deletion(-)

	diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
	index 116b274..13ff648 100644
	--- a/includes/parser/Parser.php
	+++ b/includes/parser/Parser.php
	@@ -2165,7 +2165,7 @@ class Parser {
	$might_be_img = true;
	$text = $m[2];
	if ( strpos( $m[1], '%' ) !== false ) {
	- $m[1] = rawurldecode( $m[1] );
	+ $m[1] = str_replace( [ '<', '>' ], [ '<', '>' ], rawurldecode( $m[1] ) );
	}
	$trail = "";
	} else { # Invalid form; output directly
	diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
	index 6c3841d..501e77f 100644
	--- a/tests/parser/parserTests.txt
	+++ b/tests/parser/parserTests.txt
	@@ -26932,3 +26932,12 @@ Empty LI (T49673)
	<li>b</li>
	</ul>
	!! end
	+
	+!! test
	+unclosed internal link XSS (T137264)
	+!! wikitext
	+[[#%3Cscript%3Ealert(1)%3C/script%3E\|
	+!! html
	+<p>[[#<script>alert(1)</script>\|
	+</p>
	+!! end
	--
	2.0.1

Attached To	Mode
T133070: MediaWiki 1.27.1 security release	Attached	Detach File
T137264: XSS in Parser::replaceInternalLinks2 during replacement of percent encoding in unclosed internal links	Attached	Detach File