Maniphest T193909

update phan-taint-check to 1.2.0
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	Bawolff
	May 4 2018, 8:19 PM

Description

see topic.

Remaining todo: ~~Anything alphabetical >= PdfHandler~~ Legoktm did the rest

Cite and CategoryTree have issues with new version

Details

Subject	Repo	Branch	Lines +/-
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/MultimediaViewer	master	+3 -0
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/InputBox	REL1_31	+1 -1
Add phan-taint-check as version 1.2.0	mediawiki/extensions/CodeEditor	REL1_31	+3 -0
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/CiteThisPage	REL1_31	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/Gadgets	REL1_31	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/Interwiki	REL1_31	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/ConfirmEdit	REL1_31	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/ImageMap	REL1_31	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/LocalisationUpdate	REL1_31	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/Nuke	REL1_31	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/OATHAuth	REL1_31	+3 -0
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/CiteThisPage	master	+1 -1
Add phan-taint-check as version 1.2.0	mediawiki/extensions/CodeEditor	master	+3 -0
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/Gadgets	master	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/ImageMap	master	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/Interwiki	master	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/LocalisationUpdate	master	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/Nuke	master	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/ConfirmEdit	master	+1 -1
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/OATHAuth	master	+3 -0
Bump phan-taint-check 1.1.0->1.2.0	mediawiki/extensions/InputBox	master	+1 -1

Related Objects
Search...

Status	Assigned	Task
Resolved	None	T193909 update phan-taint-check to 1.2.0
Resolved	Bawolff	T195009 Cite extension does not pass phan-taint-check 1.2.0
Resolved	Legoktm	T195010 CategoryTree extension does not pass phan-taint-check 1.2.0
Resolved	Bawolff	T195017 Renameuser extension does not pass phan-taint-check 1.2.0

Event Timeline

Bawolff created this task.May 4 2018, 8:19 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 4 2018, 8:19 PM

Fails on extension Cite:

./includes/Cite.php:276 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $group.
./includes/Cite.php:277 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $group.
./includes/Cite.php:279 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $group.
./includes/Cite.php:284 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $group.
./includes/Cite.php:285 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $group.
./includes/Cite.php:287 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $group.
./includes/Cite.php:295 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $key.
./includes/Cite.php:296 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $key.
./includes/Cite.php:314 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $key.
./includes/Cite.php:315 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::guardedRef that outputs using tainted argument $key.
./includes/Cite.php:777 SecurityCheck-DoubleEscaped Calling method \Parser::recursiveTagParse() in \Cite::referencesFormat that outputs using tainted argument $parserInput. (Caused by: ./includes/Cite.php +772)
./includes/Cite.php:1050 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::linkRef that outputs using tainted argument $[arg #1]. (Caused by: ./includes/Cite.php +984; ./includes/Cite.php +1131; ./includes/Cite.php +987)
./includes/Cite.php:1050 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::linkRef that outputs using tainted argument $[arg #1]. (Caused by: ./includes/Cite.php +984; ./includes/Cite.php +1131; ./includes/Cite.php +987; ./includes/Cite.php +1131)
./includes/Cite.php:1058 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::linkRef that outputs using tainted argument $[arg #1]. (Caused by: ./includes/Cite.php +984; ./includes/Cite.php +1131; ./includes/Cite.php +987)
./includes/Cite.php:1058 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::linkRef that outputs using tainted argument $[arg #1]. (Caused by: ./includes/Cite.php +984; ./includes/Cite.php +1131; ./includes/Cite.php +987; ./includes/Cite.php +1131)
./includes/Cite.php:1234 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::checkRefsNoReferences that outputs using tainted argument $group. (Caused by: ./includes/Cite.php +1227; ./includes/Cite.php +743; ./includes/Cite.php +1232)
./includes/Cite.php:1235 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::checkRefsNoReferences that outputs using tainted argument $group. (Caused by: ./includes/Cite.php +1227; ./includes/Cite.php +743; ./includes/Cite.php +1232)
./includes/Cite.php:1237 SecurityCheck-DoubleEscaped Calling method \Sanitizer::safeEncodeAttribute() in \Cite::checkRefsNoReferences that outputs using tainted argument $group. (Caused by: ./includes/Cite.php +1227; ./includes/Cite.php +743; ./includes/Cite.php +1232)
./includes/Cite.php:1369 SecurityCheck-DoubleEscaped Calling method \Parser::recursiveTagParse() in \Cite::error that outputs using tainted argument $ret. (Caused by: ./includes/Cite.php +1358)
./includes/Cite.php:1369 SecurityCheck-DoubleEscaped Calling method \Parser::recursiveTagParse() in \Cite::error that outputs using tainted argument $ret. (Caused by: ./includes/Cite.php +1358; ./includes/Cite.php +1369)
./includes/Cite.php:1412 SecurityCheck-DoubleEscaped Calling method \Parser::recursiveTagParse() in \Cite::warning that outputs using tainted argument $ret. (Caused by: ./includes/Cite.php +1400)
./includes/Cite.php:1412 SecurityCheck-DoubleEscaped Calling method \Parser::recursiveTagParse() in \Cite::warning that outputs using tainted argument $ret. (Caused by: ./includes/Cite.php +1400; ./includes/Cite.php +1412)

Change 431007 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CiteThisPage@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431007

gerritbot added a project: Patch-For-Review.May 4 2018, 8:28 PM

Change 431008 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/CodeEditor@master] Add phan-taint-check as version 1.2.0

https://gerrit.wikimedia.org/r/431008

Change 431009 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/ConfirmEdit@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431009

Change 431010 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/Gadgets@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431010

Change 431011 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/ImageMap@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431011

CategoryTree also has some potentially false positives from the new version:

./includes/CategoryTreeHooks.php:113 SecurityCheck-XSS Outputting user controlled HTML from Parser function hook \CategoryTreeHooks::parserFunction (Caused by: ./includes/CategoryTreeHooks.php +112)
./includes/CategoryTreeHooks.php:168 SecurityCheck-XSS Outputting user controlled HTML from Parser tag hook \CategoryTreeHooks::parserHook (Caused by: ./includes/CategoryTree.php +386; ./includes/CategoryTreeHooks.php +144; ./includes/CategoryTreeHooks.php +155)
./includes/CategoryTreePage.php:119 SecurityCheck-XSS Calling method \OutputPage::addHTML() in \CategoryTreePage::execute that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CategoryTree.php +556)

Change 431015 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/InputBox@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431015

Change 431016 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/Interwiki@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431016

Change 431018 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/LocalisationUpdate@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431018

Change 431007 merged by jenkins-bot:
[mediawiki/extensions/CiteThisPage@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431007

Change 431022 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/MultimediaViewer@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431022

Change 431009 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431009

Change 431010 merged by jenkins-bot:
[mediawiki/extensions/Gadgets@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431010

Change 431011 merged by jenkins-bot:
[mediawiki/extensions/ImageMap@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431011

Change 431023 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/Nuke@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431023

Change 431026 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/OATHAuth@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431026

Bawolff updated the task description. (Show Details)May 4 2018, 9:21 PM

Change 431008 merged by jenkins-bot:
[mediawiki/extensions/CodeEditor@master] Add phan-taint-check as version 1.2.0

https://gerrit.wikimedia.org/r/431008

Change 431016 merged by jenkins-bot:
[mediawiki/extensions/Interwiki@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431016

Change 431018 merged by jenkins-bot:
[mediawiki/extensions/LocalisationUpdate@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431018

Change 431023 merged by jenkins-bot:
[mediawiki/extensions/Nuke@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431023

Change 431026 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431026

Change 431015 merged by jenkins-bot:
[mediawiki/extensions/InputBox@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431015

ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-05-08 (1.32.0-wmf.3)).May 4 2018, 10:00 PM

Change 431069 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/OATHAuth@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431069

Change 431070 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/ConfirmEdit@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431070

Change 431071 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/Nuke@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431071

Change 431072 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/LocalisationUpdate@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431072

Change 431073 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/Interwiki@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431073

Change 431074 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/ImageMap@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431074

Change 431075 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/Gadgets@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431075

Change 431076 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/CodeEditor@REL1_31] Add phan-taint-check as version 1.2.0

https://gerrit.wikimedia.org/r/431076

Change 431077 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/CiteThisPage@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431077

Change 431079 had a related patch set uploaded (by Legoktm; owner: Brian Wolff):
[mediawiki/extensions/InputBox@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431079

Change 431069 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431069

Change 431070 merged by jenkins-bot:
[mediawiki/extensions/ConfirmEdit@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431070

Change 431071 merged by jenkins-bot:
[mediawiki/extensions/Nuke@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431071

Change 431072 merged by jenkins-bot:
[mediawiki/extensions/LocalisationUpdate@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431072

Change 431074 merged by jenkins-bot:
[mediawiki/extensions/ImageMap@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431074

Change 431075 merged by jenkins-bot:
[mediawiki/extensions/Gadgets@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431075

Change 431073 merged by jenkins-bot:
[mediawiki/extensions/Interwiki@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431073

Change 431077 merged by jenkins-bot:
[mediawiki/extensions/CiteThisPage@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431077

Change 431076 merged by jenkins-bot:
[mediawiki/extensions/CodeEditor@REL1_31] Add phan-taint-check as version 1.2.0

https://gerrit.wikimedia.org/r/431076

Change 431079 merged by jenkins-bot:
[mediawiki/extensions/InputBox@REL1_31] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431079

Change 431022 merged by Umherirrender:
[mediawiki/extensions/MultimediaViewer@master] Bump phan-taint-check 1.1.0->1.2.0

https://gerrit.wikimedia.org/r/431022

Bawolff updated the task description. (Show Details)May 8 2018, 1:10 AM

Created subtasks for easier tracking and to tag the tasks with the correct extension:

• Vvjjkkii renamed this task from update phan-taint-check to 1.2.0 to ykdaaaaaaa.Jul 1 2018, 1:11 AM

• Vvjjkkii reopened this task as Open.

• Vvjjkkii triaged this task as High priority.

• Vvjjkkii added projects: CheckUser, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), Tamil-Sites, Gamepress, Hashtags, Jade, KartoEditor, Language-2018-Apr-June, New-Editor-Experiences, Mail, TCB-Team (now WMDE-TechWish).

• Vvjjkkii updated the task description. (Show Details)

• Vvjjkkii removed subscribers: gerritbot, Aklapper.

CommunityTechBot renamed this task from ykdaaaaaaa to update phan-taint-check to 1.2.0.Jul 2 2018, 4:27 PM

CommunityTechBot closed this task as Resolved.

CommunityTechBot claimed this task.

CommunityTechBot raised the priority of this task from High to Needs Triage.

CommunityTechBot updated the task description. (Show Details)

CommunityTechBot removed projects: TCB-Team (now WMDE-TechWish), Mail, New-Editor-Experiences, Language-2018-Apr-June, KartoEditor, Jade, Hashtags, Gamepress, Tamil-Sites, Connected-Open-Heritage-Batch-uploads (RAÄ-KMB_1_2017-02), CheckUser.

CommunityTechBot added subscribers: gerritbot, Aklapper.

Bawolff closed subtask T195017: Renameuser extension does not pass phan-taint-check 1.2.0 as Resolved.Jul 5 2018, 6:33 PM

Legoktm removed CommunityTechBot as the assignee of this task.Aug 2 2018, 10:05 AM

Legoktm added a subscriber: CommunityTechBot.

Umherirrender closed subtask T195010: CategoryTree extension does not pass phan-taint-check 1.2.0 as Resolved.Aug 21 2018, 12:01 PM

Bawolff closed subtask T195009: Cite extension does not pass phan-taint-check 1.2.0 as Resolved.Sep 13 2018, 7:33 AM

sbassett moved this task from Backlog to Done on the phan-taint-check-plugin board.Oct 15 2019, 7:05 PM

sbassett triaged this task as Medium priority.Oct 15 2019, 7:09 PM

sbassett removed a project: Patch-For-Review.

update phan-taint-check to 1.2.0Closed, ResolvedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

update phan-taint-check to 1.2.0
Closed, ResolvedPublic
Actions

Related Objects
Search...