Page MenuHomePhabricator
Create Task
Maniphest T120324

XSS in Flow topic titles
Closed, ResolvedPublic
Actions

Assigned To
Catrope
Authored By
Catrope
Dec 3 2015, 11:58 PM
Tags
Referenced Files
F3269135: Screen Shot 2016-01-22 at 7.07.32 AM.png
Jan 22 2016, 4:16 PM
F3269143: Screen Shot 2016-01-22 at 7.39.47 AM.png
Jan 22 2016, 4:16 PM
F3269146: Screen Shot 2016-01-22 at 7.57.07 AM.png
Jan 22 2016, 4:16 PM
F3269141: Screen Shot 2016-01-22 at 7.35.49 AM.png
Jan 22 2016, 4:16 PM
F3269138: Screen Shot 2016-01-22 at 7.32.32 AM.png
Jan 22 2016, 4:16 PM
F3045670: Screenshot from 2015-12-03 14-59-57.png
Dec 3 2015, 11:58 PM
F3045662: Screenshot from 2015-12-03 14-58-35.png
Dec 3 2015, 11:58 PM
Subscribers
Aklapper
Bawolff
Catrope
csteipp
Etonkovidova
gerritbot
Legoktm
View All 12 Subscribers

Description

Split from T120291#1850816:

In T120291#1850816, @Legoktm wrote:

I wasn't able to trigger an XSS in the Echo flyout, but I was in Flow...

Screenshot from 2015-12-03 14-58-35.png (1×1 px, 179 KB)
Screenshot from 2015-12-03 14-59-57.png (1×1 px, 245 KB)

Simply put <script>alert(1)</script> in a topic title.

Details

SubjectRepoBranchLines +/-
Add warning comment on formatLinksInCommentmediawiki/coremaster+4 -1
[SECURITY] Escape HTML characters in topic titlesmediawiki/extensions/Flowmaster+2 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Catrope created this task.Dec 3 2015, 11:58 PM
Catrope raised the priority of this task from to Unbreak Now!.
Catrope updated the task description. (Show Details)
Catrope added projects: StructuredDiscussions, Collaboration-Team-Archive-2015-2016.
Catrope added subscribers: Catrope, Legoktm.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2015, 11:58 PM
Catrope mentioned this in T120291: wikitext in flow titles is parsed (HTML tags like <tt> and templates) on echo notifications.Dec 4 2015, 12:00 AM
Jdforrester-WMF assigned this task to Catrope.Dec 4 2015, 12:00 AM
Jdforrester-WMF added projects: Security-Extensions, MW-1.27-release (WMF-deploy-2015-12-08_(1.27.0-wmf.8)), Patch-For-Review.
Jdforrester-WMF set Security to None.
gerritbot subscribed.Dec 4 2015, 12:01 AM

Change 256858 had a related patch set uploaded (by Catrope):
[SECURITY] Escape HTML characters in topic titles

https://gerrit.wikimedia.org/r/256858

Catrope moved this task from Untriaged to Needs Review on the Collaboration-Team-Archive-2015-2016 board.Dec 4 2015, 12:08 AM
gerritbot added a comment.Dec 4 2015, 12:14 AM

Change 256867 had a related patch set uploaded (by CSteipp):
Add warning comment on formatLinksInComment

https://gerrit.wikimedia.org/r/256867

gerritbot added a comment.Dec 4 2015, 12:19 AM

Change 256858 merged by jenkins-bot:
[SECURITY] Escape HTML characters in topic titles

https://gerrit.wikimedia.org/r/256858

gerritbot added a comment.Dec 4 2015, 12:24 AM

Change 256867 merged by jenkins-bot:
Add warning comment on formatLinksInComment

https://gerrit.wikimedia.org/r/256867

MZMcBride subscribed.Dec 4 2015, 12:30 AM
ReleaseTaggerBot added a project: MW-1.27-release-notes.Dec 4 2015, 1:00 AM
Legoktm added a subscriber: csteipp.Dec 4 2015, 2:10 AM

I audited the other callers of Linker::formatLinksInComment() (CentralAuth and LQT) and they both call the Sanitizer first properly. I'll leave it to either @Catrope or @csteipp to mark this as resolved.

Legoktm removed a project: MW-1.27-release-notes.Dec 4 2015, 2:10 AM
SBisson moved this task from Needs Review to QA Review on the Collaboration-Team-Archive-2015-2016 board.Dec 4 2015, 2:19 PM
csteipp closed this task as Resolved.Dec 4 2015, 5:13 PM

The issue is resolved, so I'm going to close this.

SBisson, if there are ways I can support the Collab team's QA process to make sure we don't have this happen again, let me know. Let's make that a followup phab task, if there's anything we can identify.

Etonkovidova mentioned this in T119537: Links in Flow topic titles: html code displayed when page scrolls up.Dec 4 2015, 5:20 PM
Etonkovidova subscribed.

Checked in betalabs - title, reply, board description, summary look fine.

There is the same issue with displaying html in a topic title as in T119537: Links in Flow topic titles: html code displayed when page scrolls up

Etonkovidova moved this task from QA Review to Product Review on the Collaboration-Team-Archive-2015-2016 board.Dec 4 2015, 5:21 PM
SBisson subscribed.Dec 4 2015, 5:22 PM

SBisson, if there are ways I can support the Collab team's QA process to make sure we don't have this happen again, let me know. Let's make that a followup phab task, if there's anything we can identify.

It's a good question. @Etonkovidova, our QA, might have some ideas.

Mattflaschen-WMF subscribed.Dec 4 2015, 6:11 PM
csteipp added a project: acl*security.Dec 7 2015, 7:46 PM
Etonkovidova added a comment.Jan 22 2016, 4:16 PM

Please review the following - any suggestions(follow-up bugs/more testing) are welcomed.

Tested on test.wikipedia.org

dataFlow topic titlesEcho flyoutNotification page
<code></code>plain textas code textas code text
<script>alert(1)</script>plain textplain textplain text
<tt>plain textis not displayedmonospace; changes all text to monospace
{{release}}plain textred linkred link
<!--T:1-->plain textplain textplain text
<translate>plain textplain textplain text

Red links for templates and <code> text displayed on Notifications page and in Echo.

Screen Shot 2016-01-22 at 7.35.49 AM.png (255×561 px, 54 KB)

Screen Shot 2016-01-22 at 7.57.07 AM.png (555×1 px, 158 KB)

Screen Shot 2016-01-22 at 7.39.47 AM.png (423×562 px, 71 KB)

Monospace in Echo notifications

Screen Shot 2016-01-22 at 7.07.32 AM.png (543×746 px, 100 KB)

<tt> in a topic titles displayed on Notifications page changed all subsequent notification messages font to monospace (and, in fact, all page's fonts)

Screen Shot 2016-01-22 at 7.32.32 AM.png (670×927 px, 78 KB)

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 22 2016, 4:16 PM
Etonkovidova added a comment.Jan 22 2016, 4:17 PM
This comment was removed by Etonkovidova.
Mattflaschen-WMF added a comment.Jan 22 2016, 8:19 PM
In T120324#1955720, @Etonkovidova wrote:

Please review the following - any suggestions(follow-up bugs/more testing) are welcomed.

Tested on test.wikipedia.org

Thanks for testing. The *only* markup topic titles support are internal links ([[Earth]]) and media links ([[Media:Saturn.jpg]]).

That means all cells of that table should be plain text.

The red links for templates is only because the template didn't exist. If it did, it would render, which is also wrong (templates are not supported).

Some of this is T120291: wikitext in flow titles is parsed (HTML tags like <tt> and templates) on echo notifications.

Mattflaschen-WMF reopened this task as Open.Jan 22 2016, 8:20 PM
Mattflaschen-WMF moved this task from Product Review to In Development on the Collaboration-Team-Archive-2015-2016 board.
Mattflaschen-WMF added a subtask: T120291: wikitext in flow titles is parsed (HTML tags like <tt> and templates) on echo notifications.
Bawolff subscribed.Jan 26 2016, 11:00 PM

@Mattflaschen To clarify, did you re-open due to further security issues, or do you just have related concerns with title handling that do not have security implications.

If its for follow-up things that aren't security, could that be done in a separate bug?

Mattflaschen-WMF closed this task as Resolved.Jan 26 2016, 11:02 PM

I don't think any of the remaining parts are strictly security.

I'll use T120291: wikitext in flow titles is parsed (HTML tags like <tt> and templates) on echo notifications and file a new bug if I find Flow itself displaying it wrong anywhere.

Mattflaschen-WMF mentioned this in T127145: A straight single quotation mark in the title was percent-encoded upon saving.Feb 17 2016, 2:06 AM
jmatazzoni closed subtask T120291: wikitext in flow titles is parsed (HTML tags like <tt> and templates) on echo notifications as Resolved.Mar 3 2016, 7:07 PM
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMar 3 2016, 7:07 PM
Etonkovidova mentioned this in T141460: Notification: Dummy title used when section name is a magicword.Jul 28 2016, 6:32 PM
Etonkovidova mentioned this in T143243: templates are not parsed in Flow topic headings.Aug 18 2016, 6:36 PM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL