Page MenuHomePhabricator
Create Task
Maniphest T125163

id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812)
Closed, ResolvedPublic
Actions

Assigned To
MaxSem
Authored By
Bawolff
Jan 28 2016, 11:10 PM
Tags
Referenced Files
F10767949: T125163-REL1_28.patch
Nov 13 2017, 5:57 PM
F10767948: T125163-REL1_27.patch
Nov 13 2017, 5:57 PM
F10767950: T125163-REL1_29.patch
Nov 13 2017, 5:57 PM
F4326064: T125163-master
Aug 1 2016, 12:21 PM
F4326062: T125163-REL1_27
Aug 1 2016, 12:21 PM
F4326058: T125163-REL1_23
Aug 1 2016, 12:21 PM
F4326060: T125163-REL1_26
Aug 1 2016, 12:21 PM
F3278917: Use more complex regex for html in autoConvert
Jan 28 2016, 11:10 PM
View All 9 Files
Subscribers
Aklapper
Bawolff
gerritbot
liangent
MaxSem
Reedy

Description

With

Use more complex regex for html in autoConvert1 KBDownload
(See T119158 and T73394) this will no longer really be an issue once that patch is deployed, but given all the trouble with lang converter, might make sense as a hardening step.

wikitext like:

==>foo==

makes

<div id=".3Efoo"></div>
<h2>
<span class="mw-headline" id=">foo">&gt;foo</span><span class="mw-editsection">
<span class="mw-editsection-bracket">[</span><a href="/w/git/index.php?title=Special:ExpandTemplates&amp;action=edit&amp;section=1" title="Edit section: &gt;foo">edit</a>
<span class="mw-editsection-bracket">]</span></span>
</h2>

Note in particular: <span class="mw-headline" id=">foo">

Making that > be &gt; might be better as a hardening step against lang converter (or anything that uses regexes in a similar manner) mucking about.

Patch:

Escape < and > in id attribute for headlines1 KBDownload

As an aside, this issue was noticed with the help of afl

Backports:

T125163-REL1_271 KBDownload
T125163-master1 KBDownload
(Master as of last July 2016)

Details

SubjectRepoBranchLines +/-
SECURITY: Make anchor for headlines escape > and <mediawiki/coreREL1_27+9 -6
Make anchor for headlines escape > and <mediawiki/corefundraising/REL1_27+8 -6
SECURITY: Make anchor for headlines escape > and <mediawiki/coreREL1_29+9 -6
SECURITY: Make anchor for headlines escape > and <mediawiki/coreREL1_28+9 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Jan 28 2016, 11:10 PM
Bawolff raised the priority of this task from to Needs Triage.
Bawolff updated the task description. (Show Details)
Bawolff added projects: Security-Team, acl*security.
Bawolff changed the visibility from "Public (No Login Required)" to "Custom Policy".
Bawolff changed the edit policy from "All Users" to "Custom Policy".
Bawolff changed Security from None to Software security bug.
Bawolff subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 28 2016, 11:10 PM
Bawolff triaged this task as Medium priority.Feb 2 2016, 10:23 PM
Bawolff added projects: MediaWiki-Language-converter, Patch-For-Review.
Bawolff added a subscriber: liangent.Feb 5 2016, 10:30 AM
Bawolff added a parent task: T133070: MediaWiki 1.27.1 security release.Jul 10 2016, 6:06 PM
Bawolff moved this task from Backlog / Other to Patch pending review on the acl*security board.
Bawolff edited parent tasks, added: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release; removed: T133070: MediaWiki 1.27.1 security release.Jul 18 2016, 8:37 AM
Bawolff updated the task description. (Show Details)Aug 1 2016, 12:21 PM
demon removed a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Jan 24 2017, 11:41 PM
MaxSem subscribed.Nov 2 2017, 9:53 PM

Turns out, I inadvertently fixed this in https://gerrit.wikimedia.org/r/#/c/362326/ not even knowing about this bug. This change is present in 1.30. Do we need to backport to older versions?

dpatrick mentioned this in T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Nov 8 2017, 5:51 PM
dpatrick added a parent task: T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.
Reedy subscribed.Nov 8 2017, 5:53 PM
In T125163#3731068, @MaxSem wrote:

Turns out, I inadvertently fixed this in https://gerrit.wikimedia.org/r/#/c/362326/ not even knowing about this bug. This change is present in 1.30. Do we need to backport to older versions?

It'd be certainly useful to do so... Can we tease out the security related parts? As otherwise backporting this through 1.29 back to 1.27 isn't going to be fun for anyone... And obviously, we don't generally want to be trying to backport "features" unless they're supporting to actually making a security fix

Reedy updated the task description. (Show Details)Nov 10 2017, 10:27 PM

Removed patches

T125163-REL1_231 KBDownload
T125163-REL1_261 KBDownload

Reedy added a comment.Nov 10 2017, 10:33 PM

Ok, so comparing @Bawolff's patches to https://gerrit.wikimedia.org/r/#/c/362326/ and specifically in Linker.php https://gerrit.wikimedia.org/r/#/c/362326/28/includes/Linker.php we see the patches are mostly identical.

MaxSem just updates some documentation, and uses slightly different variable names

Am I ok to just cherry pick this file change in the open?

Reedy added a comment.Nov 10 2017, 10:39 PM
From fd6e9ef2d481209b01fa6e1bb1c863b8257f0272 Mon Sep 17 00:00:00 2001
From: Max Semenik <maxsem.wiki@gmail.com>
Date: Thu, 29 Jun 2017 17:13:12 -0700
Subject: [PATCH] Human-readable section ID support

It adds the ability to replace the current section ID escaping
schema (.C0.DE) with a HTML5-compliant escaping schema that is
displayed as Unicode in many modern browsers.

See the linked bug for discussion of various options that were
considered before the implementation. A few remarks:
* Because Sanitizer::escapeId() is used in a bunch of places without
  escaping, I'm deprecating it without altering its behavior.
* The bug described in comments for Parser::guessLegacySectionNameFromWikiText()
  is still there in some Edge versions that display mojibake.

Bug: T152540
Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
---

diff --git a/includes/Linker.php b/includes/Linker.php
index 4aae3ba..2ca851c 100644
--- a/includes/Linker.php
+++ b/includes/Linker.php
@@ -1608,22 +1608,24 @@
 	 *   a space and ending with '>'
 	 *   This *must* be at least '>' for no attribs
 	 * @param string $anchor The anchor to give the headline (the bit after the #)
-	 * @param string $html Html for the text of the header
+	 * @param string $html HTML for the text of the header
 	 * @param string $link HTML to add for the section edit link
-	 * @param bool|string $legacyAnchor A second, optional anchor to give for
+	 * @param string|bool $fallbackAnchor A second, optional anchor to give for
 	 *   backward compatibility (false to omit)
 	 *
 	 * @return string HTML headline
 	 */
 	public static function makeHeadline( $level, $attribs, $anchor, $html,
-		$link, $legacyAnchor = false
+		$link, $fallbackAnchor = false
 	) {
+		$anchorEscaped = htmlspecialchars( $anchor );
 		$ret = "<h$level$attribs"
-			. "<span class=\"mw-headline\" id=\"$anchor\">$html</span>"
+			. "<span class=\"mw-headline\" id=\"$anchorEscaped\">$html</span>"
 			. $link
 			. "</h$level>";
-		if ( $legacyAnchor !== false ) {
-			$ret = "<div id=\"$legacyAnchor\"></div>$ret";
+		if ( $fallbackAnchor !== false && $fallbackAnchor !== $anchor ) {
+			$fallbackAnchor = htmlspecialchars( $fallbackAnchor );
+			$ret = "<div id=\"$fallbackAnchor\"></div>$ret";
 		}
 		return $ret;
 	}
Reedy added a comment.EditedNov 10 2017, 10:42 PM

^ For 1.27-1.29.. Just needs a new commit summary at least

Reedy mentioned this in T179609: Obtain CVE's for 1.27.4/1.29.2 security releases.Nov 13 2017, 2:23 PM
Reedy closed this task as Resolved.Nov 13 2017, 5:57 PM
Reedy assigned this task to MaxSem.

T125163-REL1_29.patch1 KBDownload

T125163-REL1_28.patch1 KBDownload

T125163-REL1_27.patch1 KBDownload

Bawolff added a comment.Nov 13 2017, 10:55 PM
This comment was removed by Bawolff.
MoritzMuehlenhoff renamed this task from id attribute on headlines allow raw > [Possible issue in combination with language converter] to id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812).Nov 14 2017, 9:29 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:05 AM
Reedy changed the edit policy from "Custom Policy" to "All Users".
gerritbot subscribed.Nov 15 2017, 12:10 AM

Change 391410 merged by jenkins-bot:
[mediawiki/core@fundraising/REL1_27] Make anchor for headlines escape > and <

https://gerrit.wikimedia.org/r/391410

ReleaseTaggerBot added a project: MW-1.29-release-notes.Nov 15 2017, 1:01 AM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:08 PM
sbassett moved this task from Patch pending review to Done on the acl*security board.Sep 26 2019, 2:45 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Winston_Sung moved this task from Backlog to Core on the MediaWiki-Language-converter board.Dec 27 2023, 6:15 PM
Winston_Sung removed a project: Patch-For-Review.
Winston_Sung moved this task from Core to Security on the MediaWiki-Language-converter board.Dec 27 2023, 6:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL