Page MenuHomePhabricator
Create Task
Maniphest T135591

Linker::specialLink() does not escape the link text
Closed, ResolvedPublic
Actions

Description

	public static function specialLink( $name, $key = '' ) {
		if ( $key == '' ) {
			$key = strtolower( $name );
		}

		return self::linkKnown( SpecialPage::getTitleFor( $name ), wfMessage( $key )->text() );
	}

->text() should actually be ->escaped(). I don't think this is exploitable aside from making a text message into a raw HTML one.

The usage in the Nostalgia skin and WikimediaIncubator extension look fine to me,

(Noticed after csteipp pointed out that the new Linker rewrite should escape by default)

Related Objects

Event Timeline

Legoktm created this task.May 18 2016, 7:47 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 18 2016, 7:47 AM
Legoktm updated the task description. (Show Details)May 18 2016, 7:48 AM
dpatrick triaged this task as Low priority.May 24 2016, 9:22 PM
dpatrick added a project: Vuln-XSS.
dpatrick added a subscriber: dpatrick.

Hey @Legoktm, we'd like to make this bug public. How soon will your rewrite of the linker land?

Bawolff added a subscriber: Bawolff.May 27 2016, 7:18 PM

Thinking about this a little more.

There is no good reason that wfMessage() should ever have an unsafe output in the case of missing key. The fact that wfMessage( 'script>alert(1)<script' )->text() is evil, is totally unessary and weird. We should maybe make it strip angled brackets (They are already illegal in message names as not a valid title character), and maybe use square brackets as the delimiter instead.

Bawolff added a comment.Jul 18 2016, 10:10 AM
In T135591#2334992, @Bawolff wrote:

Thinking about this a little more.

There is no good reason that wfMessage() should ever have an unsafe output in the case of missing key. The fact that wfMessage( 'script>alert(1)<script' )->text() is evil, is totally unessary and weird. We should maybe make it strip angled brackets (They are already illegal in message names as not a valid title character), and maybe use square brackets as the delimiter instead.

Which I actually did in https://gerrit.wikimedia.org/r/#/c/296665/

Bawolff mentioned this in T133070: MediaWiki 1.27.1 security release.Jul 18 2016, 10:11 AM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
Aklapper added a comment.May 6 2020, 12:14 AM

Could someone clarify which codebases / repositories this task is about? (@Legoktm, if you remember?) Wondering which tags to potentially add...

sbassett added a subscriber: sbassett.May 6 2020, 4:38 AM

@Aklapper - the function within the description is from core, and the issue described seems to have been fixed on master years ago as part of the larger bug T85864. There have been/still are a few additional bugs which deal with similar message-escaping issues.

Aklapper added a comment.May 6 2020, 12:39 PM

Thanks for the quick reply! Does that mean that this task is obsolete and should be closed, as additional bugs should be handled in other dedicated tickets?

sbassett closed this task as Resolved.EditedMay 7 2020, 3:14 PM
sbassett claimed this task.
sbassett added a subscriber: Nikerabbit.

@Aklapper - yes, we can resolve this for now as the primary issue within the description was fixed. We should likely also resolve/invalidate/decline T85864 per @Nikerabbit's recent suggestion there, as that task is incredibly stale and any new work, should it be picked up, should just become new sub-tasks of T2212.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".May 7 2020, 3:15 PM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL