Page MenuHomePhabricator
Create Task
Maniphest T133507

Careless use of $wgExternalLinkTarget is insecure
Closed, ResolvedPublic
Actions

Assigned To
csteipp
Authored By
ori
Apr 24 2016, 8:57 PM
Tags
Referenced Files
F3985210: T133507-REL1_25.patch
May 9 2016, 8:01 AM
F3985212: T133507-REL1_26.patch
May 9 2016, 8:01 AM
F3985205: T133507-master.patch
May 9 2016, 8:01 AM
F3985209: T133507-REL1_23.patch
May 9 2016, 8:01 AM
F3947563: T133507-REL1_26.patch
Apr 29 2016, 10:15 PM
F3947558: T133507-master
Apr 29 2016, 10:15 PM
F3947569: T133507-REL1_23.patch
Apr 29 2016, 10:15 PM
F3947567: T133507-REL1_25.patch
Apr 29 2016, 10:15 PM
View All 9 Files
Subscribers
Aklapper
Bawolff
csteipp
Grunny
Malyacko
matmarex
ori

Description

Introduced in r41333, $wgExternalLinkTarget allows MediaWiki operators to set the target attribute on external links. The documented use-case is to set $wgExternalLinkTarget = '_blank';, so links open in a new window or tab:

includes/DefaultSettings.php L4205-4208
/**
 * Set a default target for external links, e.g. _blank to pop up a new window
 */
$wgExternalLinkTarget = false;

The problem is that when you click on a target="_blank" link, JavaScript code on the destination page has full control of the window object of the source page, via window.opener. In the event the page is cross-origin, the new window is allowed to set window.opener.location to a new value.

window.opener.document is protected by CORS, but window.opener.location is not, allowing the target page to surreptitiously redirect the tab that opened it to a phishing page.

There is a good explanation of this issue, with working examples, at https://mathiasbynens.github.io/rel-noopener/

This is a good reason never to use target="_blank" with user-generated links.

Should we prevent users from shooting themselves in the foot by deprecating and refusing to honor $wgExternalLinkTarget when it is set to "_blank"? (This article suggests most people who think they want to use _blank shouldn't.)

At minimum, I think we should:

  • Update the comment to make it clear that this is risky.
  • Emit a warning when the configured value is unsafe.

see also:

Related Objects
Search...

Event Timeline

ori created this task.Apr 24 2016, 8:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 24 2016, 8:57 PM
ori renamed this task from Careless use of $wgExternalLinkTarget can make wiki vulnerable to XSS to Careless use of $wgExternalLinkTarget is insecure.Apr 24 2016, 8:57 PM
matmarex subscribed.Apr 25 2016, 12:31 AM

JavaScript code on the destination page has full control of the window object of the source page

Where "full control" means that it can navigate it, and that's basically all. It can't even read the location (so not a leak for private wikis), only set it.

Also, this is not specific to target="_blank", it works the same for any value of target (except _self and maybe some other magic ones, I suppose).

I dunno, I think we could just set rel="noopener" on external links and document this.

Bawolff subscribed.Apr 25 2016, 3:21 AM

It can't even read the location (so not a leak for private wikis)

Well generally speaking all pages can read the location by looking at the referrer headers, but that's nothing new.

Its is a bizarre feature of the web browser security model though... At least javascript: urls do not seem to be allowed cross-origin.

I dunno, I think we could just set rel="noopener" on external links and document this.

That sounds like a reasonable response to me.

Grunny subscribed.Apr 25 2016, 9:24 AM

I dunno, I think we could just set rel="noopener" on external links and document this.

That sounds like a reasonable response to me.

Just something to keep in mind, rel="noopener" only works on Chrome and Opera, and does not work in Firefox, Safari, IE, and Edge.

This would also probably affect anyone with the exlinks Gadget enabled on Wikimedia wikis: https://en.wikipedia.org/wiki/MediaWiki:Gadget-exlinks.js

Bawolff added a project: Patch-For-Review.Apr 25 2016, 6:12 PM

So if we still want to allow taregt="_blank" generally, and try to mitigate via rel="noopener noreferrer", here's a patch

add rel="noreferrer noopener" for target="_blank" and friends4 KBDownload

[To clarify, this shouldn't be taken as me trying to force that approach. I think which approach to take (ie whether to allow _blank at all) is still something that should be considered "up in the air"]

Bawolff added a comment.Apr 26 2016, 9:07 PM

See also T98013 where we set target to be _blank on votewiki

Bawolff updated the task description. (Show Details)Apr 26 2016, 9:10 PM
csteipp triaged this task as Medium priority.Apr 26 2016, 9:25 PM
Bawolff added a comment.Apr 29 2016, 10:15 PM

New version based on csteipp's CR:

T133507-master4 KBDownload

Also, I know this is a little late, but I was kind of hoping this could maybe get into security release, since the window.opener thing is trending in the blogosphere, and was at the top of HN the other day. With that in mind, here are backports:

Bawolff mentioned this in T124940: MediaWiki 1.26.3 security release.Apr 29 2016, 10:18 PM
Bawolff added a parent task: T124940: MediaWiki 1.26.3 security release.
csteipp subscribed.May 5 2016, 6:43 PM

New version based on csteipp's CR:
T133507-master

LGTM, I'm going to deploy this

csteipp closed this task as Resolved.May 5 2016, 6:48 PM
csteipp claimed this task.

Deployed

18:47 csteipp: deployed patch for T133507

Bawolff added a comment.May 9 2016, 8:01 AM

New version with [SECURITY] prefixed to the subject line:

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:28 PM
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:28 PM
matmarex mentioned this in T143849: Phishing through window.opener with the "Open external links in a new tab or window" gadget..Aug 25 2016, 4:49 AM
Krinkle added projects: Performance-Team, Wikimedia-Performance-publish.Dec 9 2018, 6:56 PM
Krinkle updated the task description. (Show Details)
Schnark mentioned this in T214821: Reference previews use target=_blank without rel=noopener.Jan 28 2019, 8:57 AM
Krinkle moved this task from Untriaged to Ready for write-up on the Wikimedia-Performance-publish board.Feb 18 2019, 10:34 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Krinkle moved this task from Ready for write-up to Misc bookmarks on the Wikimedia-Performance-publish board.Dec 7 2021, 7:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL