Page MenuHomePhabricator
Create Task
Maniphest T170292

Phabricator link on Internal Server Error page is reported as an XSS attack by noscript
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

This causes the main Phabricator page to load. Since we want users to report issues, we need to figure out the difference between the link in the footer and on the error page.

Related Objects

Event Timeline

Matthewrbowker created this task.Jul 11 2017, 4:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 11 2017, 4:36 PM
Matthewrbowker triaged this task as Lowest priority.Jul 11 2017, 4:36 PM
Matthewrbowker set the point value for this task to 1.
Matthewrbowker added a project: Community-Tech-Sprint.Jul 11 2017, 4:44 PM
MusikAnimal edited projects, added Community-Tech; removed Community-Tech-Sprint.Jul 11 2017, 4:46 PM
MusikAnimal moved this task from New & TBD Tickets to Needs Discussion on the Community-Tech board.
Matthewrbowker added a comment.Jul 11 2017, 5:08 PM

It's the file name in the task description. Logging output:

[NoScript InjectionChecker] JavaScript Injection in ///maniphest/task/create/?title=PLEASE%20REPLACE%20WITH%20A%20DESCRIPTION%20OF%20THE%20ERROR&priority=75&projects=Tool-labs-tools-xtools&description=```/var/www/src/Xtools/Edit.php:%20103%20-%20Error:%20Call%20to%20a%20member%20function%20format()%20on%20boolean```(function anonymous(
) {
```/var/www/src/Xtools/Edit.php:%20103%20-§:§§§§§§()§§``` /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://phabricator.wikimedia.org/maniphest/task/create/?title=PLEASE%20REPLACE%20WITH%20A%20DESCRIPTION%20OF%20THE%20ERROR&priority=75&projects=Tool-labs-tools-xtools&description=```/var/www/src/Xtools/Edit.php:%20103%20-%20Error:%20Call%20to%20a%20member%20function%20format()%20on%20boolean```] requested from [http://xtools.wmflabs.org/articleinfo/en.wikipedia.org/Thomas%20Jefferson]. Sanitized URL: [https://phabricator.wikimedia.org/#42521639302495773499].
Matthewrbowker added a comment.Jul 11 2017, 8:24 PM

https://github.com/x-tools/xtools-rebirth/pull/39

Matthewrbowker mentioned this in rXTR249d543a5b65: Fix error handling to avoid an XSS error within NoScript.Jul 11 2017, 8:24 PM
Matthewrbowker moved this task from Backlog to Working on the XTools board.Jul 11 2017, 8:43 PM
kaldari edited projects, added Community-Tech-Sprint; removed Community-Tech.Jul 11 2017, 11:38 PM
Paladox subscribed.Jul 11 2017, 11:40 PM
Samwilson moved this task from Ready to Needs Review/Feedback on the Community-Tech-Sprint board.Jul 12 2017, 1:12 AM
Samwilson subscribed.

It seems like even with replacing the filename with just the class name this could still be a bit fragile — what if there's a file name in the error message at some point?

I think the most useful thing to submit in the bug report is the full current URL that the user is accessing, query string and all. No, actually just the timestamp really, because we can look in the log for the rest.

(But, the above PR solves this for now, so I'm also happy to close this till some further problem arises!)

Matthewrbowker added a comment.Jul 12 2017, 3:53 AM
In T170292#3428776, @Samwilson wrote:

It seems like even with replacing the filename with just the class name this could still be a bit fragile — what if there's a file name in the error message at some point?

I think the most useful thing to submit in the bug report is the full current URL that the user is accessing, query string and all. No, actually just the timestamp really, because we can look in the log for the rest.

(But, the above PR solves this for now, so I'm also happy to close this till some further problem arises!)

The full URL may still be seen as an XSS attempt... that's why I went with the class instead. The more long term solution might be full path if we could figure out a way to URL encode it.

MusikAnimal mentioned this in rXTReaca305b0be7: Merge pull request #39 from x-tools/T170292.Jul 12 2017, 6:08 PM
MusikAnimal mentioned this in rXTR3e346474d44c: Merge branch 'master' into T170292.
MusikAnimal closed this task as Resolved.Jul 12 2017, 7:19 PM
MusikAnimal moved this task from Needs Review/Feedback to Q1 2018-19 on the Community-Tech-Sprint board.
MusikAnimal subscribed.

Merged https://phabricator.wikimedia.org/rXTReaca305b0be7d401adae7edd7c3c5107eeb986c9

MusikAnimal moved this task from Working to Complete on the XTools board.Jul 12 2017, 7:19 PM
Matthewrbowker mentioned this in rXT249d543a5b65: Fix error handling to avoid an XSS error within NoScript.Jul 17 2017, 3:09 AM
MusikAnimal mentioned this in rXT3e346474d44c: Merge branch 'master' into T170292.Jul 17 2017, 3:09 AM
MusikAnimal mentioned this in rXTeaca305b0be7: Merge pull request #39 from x-tools/T170292.
DannyH edited projects, added Community-Tech; removed Community-Tech-Sprint.Jul 18 2017, 10:40 PM
DannyH moved this task from Needs Discussion to Archive on the Community-Tech board.Jul 18 2017, 10:45 PM
Matthewrbowker mentioned this in rXTRMRB249d543a5b65: Fix error handling to avoid an XSS error within NoScript.Feb 13 2018, 1:35 PM
MusikAnimal mentioned this in rXTRMRBeaca305b0be7: Merge pull request #39 from x-tools/T170292.Feb 13 2018, 1:35 PM
MusikAnimal mentioned this in rXTRMRB3e346474d44c: Merge branch 'master' into T170292.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL