Page MenuHomePhabricator
Create Task
Maniphest T158011

Security review for Timeless skin
Closed, ResolvedPublic
Actions

Description

The Timeless skin has been prepared by @Isarra and needs a security review before deployment on the beta cluster.

Details

SubjectRepoBranchLines +/-
Fix category double escapingmediawiki/skins/Timelessmaster+1 -2
Refactor TimelessTemplate.phpmediawiki/skins/Timelessmaster+647 -470
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedIsarraT154371 Review and deploy Timeless skin
 ResolvedIsarraT158011 Security review for Timeless skin

Event Timeline

Dereckson created this task.Feb 13 2017, 10:07 PM
Paladox subscribed.Feb 14 2017, 1:32 AM
matmarex subscribed.Feb 18 2017, 5:53 PM
dpatrick mentioned this in E504: Security review of Timeless skin.Feb 22 2017, 7:29 PM
dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Feb 22 2017, 7:35 PM
Bawolff assigned this task to Isarra.Mar 7 2017, 2:46 AM
Bawolff moved this task from Scheduled to Waiting on the deprecated-security-team-reviews board.
Bawolff subscribed.

Review of 9613a9d4bc. Overall this looks good. I'm excited to see this be a skin on Wikimedia wikis. Some very minor issues with double escaping and not escaping "safe" values.

Minor security

  • in assemblePortlet: '<div role="navigation" class="' . $box['class'] . '" id="' . Sanitizer::escapeId( $box['id'] ) . '"' . Linker::tooltip( $box['id'] ) . '>'; - as a precaution, it'd be good to put the $box['class'] through htmlspecialchars. Even better would be to use Html::openElement for this.
  • "TimelessTemplate.php" line 300 - Run the id through Sanitizer::escapeId just in case. Even in the case that we know the value is safe, if the value comes from a different function, I would prefer it be escaped to protect against any future changes.
    • "TimelessTemplate.php" line 312 - ditto
    • "TimelessTemplate.php" line 652 - ditto
  • Double escaped messages:
    • "TimelessTemplate.php" line 358 - The placeholder values for makeSearchInput should not be escaped as it gets escaped later
    • "TimelessTemplate.php" line 500 - timeless-pagelog is double escaped
    • "TimelessTemplate.php" line 506 - timeless-more is double escaped
    • "TimelessTemplate.php" line 512 - timeless-languages is double escaped
  • "TimelessTemplate.php" line 660 - second argument to Linker::link should go through htmlspecialchars (This is not exploitable due to constraints on what a valid Title is, but nonetheless it should still be escaped. Imagine if someone was writing a story about a person nicknamed Lt, and put all the pages in [[category:Me&lt]] - then the category would display wrong)

Other misc comments

  • The way echo notification bar is shown is kind of a bit hidden/looks kind of odd.
  • Some of the SVG files could perhaps be minimized to save bandwidth
  • If the sitename is really long, it can overlap the Navigation drop-down in the mid-width view.
  • The javascript is kind of confusing - skins.timeless.js has only empty js files - perhaps it should be killed. skins.timeless.mobile despite its name seems to be used for all clients - perhaps it should be renamed.
MZMcBride subscribed.Mar 7 2017, 3:04 AM
Bawolff added a comment.Mar 7 2017, 4:26 AM

Just as a note, since these are all minor non-exploitable issues, they should not prevent putting the skin on betawiki (They should be fixed before deploying to a real wiki).

Isarra added a comment.Mar 7 2017, 4:39 PM

I love you.

Isarra mentioned this in T160643: Deploy Timeless to betawiki.Mar 16 2017, 3:51 PM
Isarra moved this task from Backlog to Bugs on the Timeless board.Mar 16 2017, 4:10 PM
Isarra added a comment.Mar 25 2017, 4:44 AM

Ah feck, I should have done this before refactoring the entire thing. >.>

Isarra added a comment.Mar 25 2017, 5:01 AM

"TimelessTemplate.php" line 300 - Run the id through Sanitizer::escapeId just in case. Even in the case that we know the value is safe, if the value comes from a different function, I would prefer it be escaped to protect against any future changes.
"TimelessTemplate.php" line 312 - ditto
"TimelessTemplate.php" line 652 - ditto

If those are all using Html::rawElement or whatever now, do I still need to worry about this? Because eeeeeverything is using Html::stuff now.

skins.timeless.mobile despite its name seems to be used for all clients

I don't actually know how to make it only load at a certain width aside from checking in the file itself. Is there a better way?

gerritbot subscribed.Mar 25 2017, 6:44 AM

Change 344748 had a related patch set uploaded (by Isarra):
[mediawiki/skins/Timeless@master] Refactor TimelessTemplate.php

https://gerrit.wikimedia.org/r/344748

gerritbot added a project: Patch-For-Review.Mar 25 2017, 6:44 AM
gerritbot added a comment.Mar 26 2017, 5:35 PM

Change 344748 merged by jenkins-bot:
[mediawiki/skins/Timeless@master] Refactor TimelessTemplate.php

https://gerrit.wikimedia.org/r/344748

Isarra added a comment.Mar 26 2017, 6:03 PM

Okay, so it looks like you still need to do escapeId when working with the Html functions. That should be fixed now. Double escaping is probably fixed (documentation is a mite unclear on getMsg, so it's possible I screwed that up, though). Echo was already done, as least sort of (still some issues on mobile). Filed a bug about the images, and for the too long site name.

Still dunno what to do about the js, but we can come back to that later, or something.

Other than that, I think I've addressed everything.

Bawolff added a comment.Mar 27 2017, 3:34 AM

Still dunno what to do about the js, but we can come back to that later, or something.

I just thought it was slightly confusing, it really doesn't matter though.

Other than that, I think I've addressed everything.

Looks good, although I think there is now too much escaping on category names (e.g. & is now showing up as &amp; in the user interface).

Isarra added a comment.Mar 27 2017, 4:00 AM

Is it just the categories? Anything else doing that now? >.>

gerritbot added a comment.Apr 8 2017, 2:53 PM

Change 347169 had a related patch set uploaded (by Isarra):
[mediawiki/skins/Timeless@master] Fix category double escaping

https://gerrit.wikimedia.org/r/347169

Isarra closed this task as Resolved.Apr 8 2017, 3:33 PM

Y'ALL DID THAT, I IMPLEMENTED STUFF, EVERYTHING'S DONE NOW, RIGHT?

gerritbot added a comment.Apr 8 2017, 4:08 PM

Change 347169 merged by Isarra:
[mediawiki/skins/Timeless@master] Fix category double escaping

https://gerrit.wikimedia.org/r/347169

Dereckson awarded a token.Apr 9 2017, 12:33 AM
sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:22 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL