Page MenuHomePhabricator
Create Task
Maniphest T167812

TemplateStyles HTML injection
Closed, ResolvedPublic
Actions

Description

It's possible to include a </style> in a stylesheet considered valid by css-sanitizer and TemplateStyles. Anything after that in the stylesheet will be interpreted as raw HTML.

Specifically, I found two ways to do it: content: "</style>" (or anything else that allows a string) and grid-area: \< / style 1 / \>; (which outputs as grid-area:\</style 1/\>, close enough for browsers to accept).

I'll upload patches momentarily to fix this in two ways:

  • In css-sanitizer, use numeric escapes for < and > in strings and identifiers.
  • In TempateStyles, reject anything containing the string </style.

Details

SubjectRepoBranchLines +/-
SECURITY: Escape angle brackets numerically in strings and identifierscss-sanitizermaster+9 -3
SECURITY: Reject stylesheets containing "</style"mediawiki/extensions/TemplateStylesmaster+39 -1
Customize query in gerrit

Related Objects

Event Timeline

Anomie created this task.Jun 13 2017, 3:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 13 2017, 3:50 PM
Anomie added a comment.Jun 13 2017, 4:00 PM
  • css-sanitizer:
    0001-SECURITY-Escape-angle-brackets-numerically-in-string.patch3 KBDownload
  • TemplateStyles:
    0001-SECURITY-Reject-stylesheets-containing-style.patch5 KBDownload

As far as deployment, TemplateStyles isn't currently live anywhere in production, but Beta Labs may be vulnerable. We'd probably want to get the second patch out there first, then follow up reasonably soon with the css-sanitizer patch plus patches to increment the version in TemplateStyles's composer.json and the mediawiki/vendor.

Anomie added a project: TemplateStyles.Jun 13 2017, 4:00 PM
Anomie added a project: Patch-For-Review.
Reedy subscribed.Jun 13 2017, 5:00 PM

I guess the TemplateStyles patch can just go pretty much straight into public and be merged (when it's been CR'd)

The core patch will need to follow a more usual security deploy regime... But that's not going to get it onto beta any time soon

Anomie added a comment.Jun 13 2017, 5:15 PM

Neither one is a core patch. css-sanitizer is included in mediawiki/vendor, but as far as I know nothing uses it yet besides TemplateStyles in Beta Labs.

Bawolff subscribed.Jun 13 2017, 6:39 PM

I thought this would have been dealt with by T133147

Anomie added a comment.Jun 13 2017, 6:43 PM

Since TemplateStyles has to wrap the CSS in a strip marker to protect it from doBlockLevels, it manages to bypass that fix too.

Bawolff added a comment.Jun 13 2017, 7:48 PM
In T167812#3345184, @Anomie wrote:
  • css-sanitizer:
    0001-SECURITY-Escape-angle-brackets-numerically-in-string.patch3 KBDownload
  • TemplateStyles:
    0001-SECURITY-Reject-stylesheets-containing-style.patch5 KBDownload

+1 to both these patches

dpatrick triaged this task as High priority.Jun 13 2017, 8:37 PM
dpatrick subscribed.

Since this hasn't been deployed, this can committed now, correct?

Anomie mentioned this in rCSSS53071d588f7a: SECURITY: Escape angle brackets numerically in strings and identifiers.Jun 13 2017, 8:56 PM
Anomie closed this task as Resolved.Jun 15 2017, 6:46 PM
Anomie claimed this task.

Patches are in Gerrit and merged. Beta Labs is updated.

Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 15 2017, 6:47 PM
ggellerman moved this task from Backlog to Done on the TemplateStyles board.Nov 21 2017, 7:15 PM
Anomie mentioned this in rCSSSd05a3f277fb7: Final NoteDb migration updates.Jun 9 2018, 5:18 PM
Anomie mentioned this in rETST86078b024ad6: Final NoteDb migration updates.Jun 11 2018, 9:56 AM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits