Page MenuHomePhabricator

Possible SQL injection via the "exclude" parameter
Closed, ResolvedPublic

Description

WikiCategoryTagCloud extension allows certain parameters to be specified inside the tagcloud tags, like this (example copypasted from the extension info page@MW.org):

<tagcloud>exclude=television,television_series,celebrities,food,yoga</tagcloud>

As reported by an anonymous MediaWiki.org user on 19 August 2015, the variable isn't sanitized properly (line 95 of WikiCategoryTagCloud.php), which could allow SQL injection, since the extension uses raw SQL (which is sorta due to the fact that the extension does a WHERE ... NOT IN query, which AFAIK isn't supported by MediaWiki's database abstraction layer).

Fix is to use Database's handy makeList() here on the array variable ($excluded_categories).

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Nov 19 2015, 9:10 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 19 2015, 9:10 PM
ashley created this task.Nov 19 2015, 9:10 PM
ashley claimed this task.
ashley triaged this task as Medium priority.
ashley updated the task description. (Show Details)
ashley changed Security from None to Software security bug.
ashley edited subscribers, added: ashley, csteipp, matmarex; removed: Aklapper.
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 19 2015, 9:59 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptNov 19 2015, 9:59 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 19 2015, 10:00 PM
Legoktm changed the edit policy from "Custom Policy" to "All Users".
Legoktm changed Security from Software security bug to None.