Page MenuHomePhabricator
Create Task
Maniphest T118755

Fix LanguageConverter's parsing
Closed, ResolvedPublic
Actions

Description

The manner (and stage of execution) in which LanguageConverter's parsing has been implemented leads to XSS vulnerabilities. Extensions that run prior to LanguageConverter may allow for insertion of partial markup, which is then completed with LanguageConverter content replacement.

These problems may be remediated in two ways:

  1. Modify the stage at which LanguageConverter runs, such that it happens prior to content escaping; and
  2. Improve LanguageConverter's HTML tag parsing so that tag detection does not end early [implemented in LanguageConverter->autoConvert()].

The following bugs are related to this issue and give additional background:

Related Objects
Search...

Event Timeline

dpatrick created this task.Nov 16 2015, 5:50 PM
dpatrick claimed this task.
dpatrick raised the priority of this task from to Needs Triage.
dpatrick updated the task description. (Show Details)
dpatrick added projects: Security-Team, Vuln-XSS, acl*security.
dpatrick changed the visibility from "Public (No Login Required)" to "Custom Policy".
dpatrick changed the edit policy from "All Users" to "Custom Policy".
dpatrick changed Security from None to Software security bug.
dpatrick subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 16 2015, 5:50 PM
dpatrick moved this task from Incoming to In Progress on the Security-Team board.Nov 16 2015, 5:52 PM
dpatrick updated the task description. (Show Details)Nov 16 2015, 6:05 PM
dpatrick triaged this task as High priority.Nov 16 2015, 7:17 PM
Bawolff mentioned this in T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815).Nov 20 2015, 1:14 AM
csteipp added a subtask: T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815).Dec 3 2015, 7:26 PM
csteipp moved this task from In Progress to Ready on the Security-Team board.Apr 7 2016, 12:09 AM
dpatrick removed dpatrick as the assignee of this task.May 9 2016, 6:23 PM
dpatrick added a project: MediaWiki-Language-converter.
Reedy closed subtask T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815) as Resolved.Nov 13 2017, 8:29 PM
Bawolff closed this task as Resolved.Sep 4 2018, 3:02 PM
Bawolff claimed this task.
Bawolff subscribed.

LanguageConverter is better now (but still terrible. Please can we kill it)

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 4 2018, 3:02 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Winston_Sung moved this task from Backlog to Security on the MediaWiki-Language-converter board.Dec 27 2023, 6:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL