Page MenuHomePhabricator
Create Task
Maniphest T177997

WikiImporter::notice echoing of unescaped values is a dangerous api
Closed, ResolvedPublic
Actions

Description

The way notices work in the WikiImporter class is really sketchy. Its safe in MediaWiki, but it seems risky that someone may use it in an unsafe manner, and thus should be fixed.

WikiImporter::notice is used to report notices back to the user. It can be overriden via setNoticeCallback() in order to have custom reporting. However it has a default implementation of just echoing out the notice.

This is very risky, since the notice contains user controlled variables, and no escaping is applied. The rationale is that its meant for the command line where this makes sense. However if it was triggered in the web interface (and no output buffer clearing took place) then this would be an XSS.

In MediaWiki, Special:Import overrides the notice callback, so its safe. The API does not, however the api clears the output buffer so it is safe.

Nonetheless this is really sketchy, and should be changed so that nobody in the future accidentally causes a security issue. The two possibilities:

  • Either make the default notice implementation just send the notice to wfDebug(), and require that the command line importers call setNoticeCallback() for their own custom callback to echo the notice. [I think this is the better option]
  • Or make the default implementation check $wgCommandLineMode, and output the message as ->escaped() if not in command line mode.

As an aside, this was found using an experimental custom phan plugin I'm working on

Details

SubjectRepoBranchLines +/-
[WikiImporter::notice] use wfDebug instead of echo in notice()mediawiki/coremaster+15 -1
Customize query in gerrit

Event Timeline

Bawolff created this task.Oct 11 2017, 8:18 PM
Restricted Application added subscribers: TerraCodes, Aklapper. · View Herald TranscriptOct 11 2017, 8:18 PM
dpatrick triaged this task as Medium priority.Oct 12 2017, 4:20 PM
Bawolff updated the task description. (Show Details)Oct 12 2017, 4:21 PM
Florian added a project: Google-Code-in-2017.Dec 2 2017, 10:39 PM
Florian moved this task from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.
Florian subscribed.

I'll mentor this, imported as: https://codein.withgoogle.com/dashboard/tasks/5638122769481728/

gerritbot subscribed.Dec 22 2017, 3:17 AM

Change 399770 had a related patch set uploaded (by Eflyjason; owner: Eflyjason):
[mediawiki/core@master] [WikiImporter::notice] use wfDebug instead of echo in notice()

https://gerrit.wikimedia.org/r/399770

gerritbot added a project: Patch-For-Review.Dec 22 2017, 3:17 AM
eflyjason subscribed.Dec 22 2017, 3:17 AM
Florian closed this task as Resolved.Dec 22 2017, 11:28 AM
Florian assigned this task to eflyjason.
gerritbot added a comment.Dec 22 2017, 11:33 AM

Change 399770 merged by jenkins-bot:
[mediawiki/core@master] [WikiImporter::notice] use wfDebug instead of echo in notice()

https://gerrit.wikimedia.org/r/399770

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-01-02 (1.31.0-wmf.15)).Dec 22 2017, 12:00 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 10 2020, 11:13 PM
TerraCodes unsubscribed.Feb 11 2020, 12:39 AM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL