Page MenuHomePhabricator
Create Task
Maniphest T159458

DOMDocument::loadHTML() should be called more securely
Closed, ResolvedPublic
Actions

Description

The file includes/PF_AutoeditAPI.php calls DOMDocument::loadHTML() in a possibly-unsafe way. That call should be modified using these guidelines:

https://www.mediawiki.org/wiki/XML_External_Entity_Processing

Details

SubjectRepoBranchLines +/-
Secure call to DOMDocument::loadHTML()mediawiki/extensions/PageFormsmaster+3 -1
Customize query in gerrit

Related Objects

Event Timeline

Yaron_Koren created this task.Mar 2 2017, 4:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2017, 4:15 PM
Yaron_Koren mentioned this in T63989: Add a spreadsheet interface for modifying multiple pages to the Page Forms extension.Mar 2 2017, 4:15 PM
The-Gradient subscribed.Mar 5 2017, 5:40 PM
Harjotsingh claimed this task.Mar 13 2017, 10:34 AM
gerritbot subscribed.Mar 13 2017, 10:34 AM

Change 342439 had a related patch set uploaded (by Harjotsingh):
[mediawiki/extensions/PageForms] Secure call to DOMDocument::loadHTML()

https://gerrit.wikimedia.org/r/342439

gerritbot added a project: Patch-For-Review.Mar 13 2017, 10:34 AM
Harjotsingh mentioned this in rEPFMdfa40c0f8e4c: Secure call to DOMDocument::loadHTML().Mar 13 2017, 10:34 AM
Yaron_Koren added a comment.Mar 13 2017, 5:12 PM

@Harjotsingh - this seems reasonable. Did you test this? If so, how?

Harjotsingh added a comment.Mar 13 2017, 5:39 PM

@Yaron_Koren no, I didn't test for XXE vulnerability.I just followed the prevention pattern specified https://www.mediawiki.org/wiki/XML_External_Entity_Processing.

Is there a way I could test for the vulnerability ?

Yaron_Koren added a comment.Mar 13 2017, 6:14 PM

I don't know how to test for the vulnerability either - though that would be ideal. But the most important thing is just to make sure that the code still works now.

Harjotsingh added a comment.Mar 13 2017, 6:33 PM

I only tested autoedit for modifying pages automatically as specified here : https://www.mediawiki.org/wiki/Extension:Page_Forms/Linking_to_forms

Yaron_Koren mentioned this in rEPFMf95957aa0c21: Secure call to DOMDocument::loadHTML().Mar 17 2017, 2:59 AM
gerritbot added a comment.Mar 17 2017, 3:00 AM

Change 342439 merged by jenkins-bot:
[mediawiki/extensions/PageForms] Secure call to DOMDocument::loadHTML()

https://gerrit.wikimedia.org/r/342439

Yaron_Koren closed this task as Resolved.Mar 17 2017, 3:03 AM

Sorry for the long delay. I just merged in your fix. Thank you!

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2017-03-21_(1.29.0-wmf.17)).Mar 17 2017, 4:00 AM
Harjotsingh mentioned this in T160257: Proposal : Adding Custom features while upgrading and updating Quiz extension - Gsoc17.Apr 2 2017, 7:04 PM
Harjotsingh mentioned this in rEPFM54ebd921f42d: Final NoteDb migration updates.Jun 9 2018, 7:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL