Page MenuHomePhabricator
Create Task
Maniphest T107206

TextExtracts should strip scripts
Closed, ResolvedPublic
Actions

Assigned To
Jdlrobson
Authored By
Mattflaschen-WMF
Jul 28 2015, 8:40 PM
Tags
Referenced Files
F8516186: 0001-SECURITY-script-tags-should-be-stripped-from-extract.patch
Jun 23 2017, 6:12 PM
F192692: Screenshot 2015-07-15 13.44.24.png
Aug 13 2015, 5:19 AM
Subscribers
Aklapper
Bawolff
bmansurov
brion
Catrope
csteipp
demon
View All 20 Subscribers

Description

Arguably they should not be there to begin with, but this has affected at least two extensions, so probably worth dealing with here:

T105924: Graph extension should exclude scripts tags so they will not be parsed by TextExtracts

T107170: Flow: Data Model JavaScript, including tokens, appears in TextExtracts and HoverCards

It's not always a security issue, but always a UX one.

Details

SubjectRepoBranchLines +/-
Play things safe when stripping HTMLmediawiki/extensions/TextExtractsREL1_28+3 -0
Play things safe when stripping HTMLmediawiki/extensions/TextExtractsREL1_27+3 -0
Play things safe when stripping HTMLmediawiki/extensions/TextExtractsREL1_29+3 -0
Play things safe when stripping HTMLmediawiki/extensions/TextExtractswmf/1.30.0-wmf.7+2 -0
Play things safe when stripping HTMLmediawiki/extensions/TextExtractsmaster+2 -0
Customize query in gerrit

Related Objects

Event Timeline

Mattflaschen-WMF created this task.Jul 28 2015, 8:40 PM
Mattflaschen-WMF raised the priority of this task from to Needs Triage.
Mattflaschen-WMF updated the task description. (Show Details)
Mattflaschen-WMF added a project: TextExtracts.
Mattflaschen-WMF added subscribers: Mattflaschen-WMF, Catrope, Mooeypoo.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 28 2015, 8:40 PM
Mattflaschen-WMF set Security to Software security bug.Jul 28 2015, 8:41 PM
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJul 28 2015, 8:41 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
Mattflaschen-WMF renamed this task from TextExtracts should script scripts to TextExtracts should strip scripts.Jul 28 2015, 8:45 PM
csteipp triaged this task as Low priority.Aug 12 2015, 8:48 PM
csteipp subscribed.

Was this fixed by https://gerrit.wikimedia.org/r/#/c/229039/?

Mattflaschen-WMF added a comment.Aug 13 2015, 5:19 AM

Only for Flow, not T105924: Graph extension should exclude scripts tags so they will not be parsed by TextExtracts if I understand correctly that the "Graphs" page (see F192692) is wikitext content model. Also not the general issue.

dr0ptp4kt added a project: Reading-Web-Sprint-73-One-day-we'll-finish-the-EventLogging-card.May 23 2016, 12:16 PM
dr0ptp4kt added subscribers: phuedx, Jdlrobson, jhobs and 2 others.May 23 2016, 4:30 PM
jhobs added a project: Web-Team-Backlog.May 23 2016, 6:11 PM
dr0ptp4kt subscribed.May 23 2016, 7:33 PM

@Mattflaschen-WMF, would you be willing to take a pass at a patch?

dr0ptp4kt moved this task from Needs Analysis to Tracking on the Reading-Web-Sprint-73-One-day-we'll-finish-the-EventLogging-card board.May 23 2016, 7:33 PM
dr0ptp4kt moved this task from Incoming to 2015-16 Q4 on the Web-Team-Backlog board.May 23 2016, 7:48 PM
Mattflaschen-WMF added a project: Collaboration-Team-Triage.Jun 2 2016, 11:55 PM
Mattflaschen-WMF moved this task from Untriaged to Hot on the Collaboration-Team-Triage board.
dr0ptp4kt added a subscriber: MBinder_WMF.Jun 6 2016, 4:03 PM
dr0ptp4kt moved this task from 2015-16 Q4 to 2014-15 Q4 on the Web-Team-Backlog board.Jun 6 2016, 8:36 PM
MBinder_WMF unsubscribed.Jun 6 2016, 8:41 PM
Jdlrobson moved this task from 2014-15 Q4 to Needs Prioritization on the Web-Team-Backlog board.Jun 15 2017, 9:31 PM

Just found this on my travels. Is this still a problem? Is it really low? Is this a problem with the Graph extension or TextExtracts or both?

Jdlrobson mentioned this in T167852: "<translate>" and <tvar|*> tag visible in Page Previews: HtmlFormatter only flattens spans.Jun 23 2017, 6:00 PM
Jdlrobson raised the priority of this task from Low to High.Jun 23 2017, 6:12 PM
Jdlrobson moved this task from Needs Prioritization to Upcoming on the Web-Team-Backlog board.
Jdlrobson added subscribers: dpatrick, Bawolff.

I can't replicate this in the wild, but I see how this is happening.
This relates to T167852 but is much more easily fixed. We need to update wgto include script tags so they get stripped from the extract.

My plan is to:

  1. Update on production:
    0001-SECURITY-script-tags-should-be-stripped-from-extract.patch881 BDownload
  2. Update in extension (change default - will submit and merge patch after SWAT)

@Bawolff @dpatrick that sound like a plan?

Jdlrobson merged a task: T105924: Graph extension should exclude scripts tags so they will not be parsed by TextExtracts.Jun 23 2017, 6:13 PM
Jdlrobson added subscribers: brion, Krinkle, TheDJ, Ricordisamoa.
Jhernandez added a subscriber: ovasileva.Jun 26 2017, 12:39 PM
demon subscribed.Jun 28 2017, 12:11 AM

Postponed from today's swat, pending some discussion of how to not do it via InitialiseSettings

Jdlrobson assigned this task to dpatrick.Jun 28 2017, 12:12 AM
Jdlrobson moved this task from Upcoming to Needs Prioritization on the Web-Team-Backlog board.

Per https://phabricator.wikimedia.org/T107206#3375393 let us know what you want to do!

phuedx added a comment.Jun 28 2017, 9:14 AM
In T107206#3384848, @demon wrote:

Postponed from today's swat, pending some discussion of how to not do it via InitialiseSettings

Where did that discussion take place?

demon added a comment.Jun 28 2017, 2:58 PM
In T107206#3385519, @phuedx wrote:
In T107206#3384848, @demon wrote:

Postponed from today's swat, pending some discussion of how to not do it via InitialiseSettings

Where did that discussion take place?

It hasn't yet, I postponed it because we need a discussion about how to do it instead :)

phuedx added a comment.Jun 28 2017, 3:12 PM

Mibad. I completely missed the "pending".

👍

Mattflaschen-WMF added a comment.Jun 28 2017, 7:26 PM
In T107206#2320863, @dr0ptp4kt wrote:

@Mattflaschen-WMF, would you be willing to take a pass at a patch?

Sorry, didn't see this (only happened to see this patch on the Phabricator web interface). I'm not checking Phabricator mail as much these days, so IRC/direct email is better for something like that.

Bawolff added a comment.Jun 29 2017, 5:05 PM
In T107206#3375393, @Jdlrobson wrote:

I can't replicate this in the wild, but I see how this is happening.
This relates to T167852 but is much more easily fixed. We need to update wgto include script tags so they get stripped from the extract.

My plan is to:

  1. Update on production:
    0001-SECURITY-script-tags-should-be-stripped-from-extract.patch881 BDownload
  2. Update in extension (change default - will submit and merge patch after SWAT)

@Bawolff @dpatrick that sound like a plan?

My understanding is that this is theoretical, and we're not currently aware of any examples of WMF extensions that would cause this?

I think stripping <script> tags is generally a good idea and similar to how the extension already removes <style>. To be really paranoid, I would add <input> (If an extension added a form to a wikipage, there could be a hidden input tag containing a token).

To be further paranoid, we may want ExtractFormatter::filterContent() to also remove any attributes starting with data or on. (data in case they contain sensitive data. on for scripts)

Instead of InitialiseSettings.php, I would suggest just adding the additional items to extension.json directly, and deploying that. I think its fine to do this as a public gerrit patch, provided the patch is merged pretty immediately after the patch is made public, and an announcement email is sent to wikitech-l/mediawiki-l advising people to upgrade. If for whatever reason we can't do the public announcement immediately after deploying, then it should be deployed as a secret security patch until we can do that announcement.

Jdlrobson added a project: Readers-Web-Kanbanana-Board-Old.Jun 29 2017, 5:54 PM

Going to swat this in 7 minutes time and send an e-mail to wikitech-l & mediawiki-l advising 3rd parties to upgrade.

Jdlrobson moved this task from To Do to Doing on the Readers-Web-Kanbanana-Board-Old board.Jun 29 2017, 5:54 PM
Jdlrobson moved this task from Doing to Needs Code Review on the Readers-Web-Kanbanana-Board-Old board.
Jdlrobson moved this task from Needs Prioritization to 2016-17 Q4 on the Web-Team-Backlog board.Jun 29 2017, 6:02 PM
Jdlrobson moved this task from Needs Code Review to Ready for Signoff on the Readers-Web-Kanbanana-Board-Old board.Jun 29 2017, 7:49 PM
Jdlrobson removed a project: acl*security.Jun 29 2017, 7:52 PM
Restricted Application added a project: acl*security. · View Herald TranscriptJun 29 2017, 7:52 PM
Jdlrobson removed dpatrick as the assignee of this task.Jun 29 2017, 7:53 PM

@Bawolff can you make this public?

Jdlrobson added a comment.Jun 29 2017, 7:54 PM

The following fix has been deployed: https://gerrit.wikimedia.org/r/362252
I've sent an email to mailing lists.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 29 2017, 8:24 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
In T107206#3392340, @Jdlrobson wrote:

@Bawolff can you make this public?

Done

Bawolff closed this task as Resolved.Jun 29 2017, 8:25 PM
Bawolff assigned this task to Jdlrobson.
gerritbot subscribed.Jun 30 2017, 12:17 PM

Change 362390 had a related patch set uploaded (by Brian Wolff; owner: Jdlrobson):
[mediawiki/extensions/TextExtracts@REL1_29] Play things safe when stripping HTML

https://gerrit.wikimedia.org/r/362390

gerritbot added a project: Patch-For-Review.Jun 30 2017, 12:17 PM

Change 362391 had a related patch set uploaded (by Brian Wolff; owner: Jdlrobson):
[mediawiki/extensions/TextExtracts@REL1_28] Play things safe when stripping HTML

https://gerrit.wikimedia.org/r/362391

gerritbot added a comment.Jun 30 2017, 12:21 PM

Change 362392 had a related patch set uploaded (by Brian Wolff; owner: Jdlrobson):
[mediawiki/extensions/TextExtracts@REL1_27] Play things safe when stripping HTML

https://gerrit.wikimedia.org/r/362392

gerritbot added a comment.Jun 30 2017, 12:23 PM

Change 362390 merged by jenkins-bot:
[mediawiki/extensions/TextExtracts@REL1_29] Play things safe when stripping HTML

https://gerrit.wikimedia.org/r/362390

gerritbot added a comment.Jun 30 2017, 12:23 PM

Change 362392 merged by jenkins-bot:
[mediawiki/extensions/TextExtracts@REL1_27] Play things safe when stripping HTML

https://gerrit.wikimedia.org/r/362392

gerritbot added a comment.Jun 30 2017, 12:25 PM

Change 362391 merged by jenkins-bot:
[mediawiki/extensions/TextExtracts@REL1_28] Play things safe when stripping HTML

https://gerrit.wikimedia.org/r/362391

chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL