Page MenuHomePhabricator
Create Task
Maniphest T202246

AdminLinks::makelink() doesn't HTML escape properly
Closed, ResolvedPublic
Actions

Assigned To
Yaron_Koren
Authored By
Legoktm
Aug 20 2018, 12:28 AM
Tags
Referenced Files
F25339567: 0001-SECURITY-Escape-link-text-properly-to-prevent-XSS-at.patch
Aug 25 2018, 7:50 AM
F25340025: 0001-SECURITY-Escape-link-text-properly-to-prevent-XSS-at.patch
Aug 25 2018, 7:50 AM
F25339833: 0001-SECURITY-Escape-link-text-properly-to-prevent-XSS-at.patch
Aug 25 2018, 7:50 AM
Subscribers
Aklapper
Legoktm
sbassett
Yaron_Koren

Description

	public static function makeLink( $title, $msg = null, $attrs = array(), $params = array() ) {
		if ( function_exists( 'MediaWiki\MediaWikiServices::getLinkRenderer' ) ) {
			// MW 1.28+
			$linkRenderer = MediaWikiServices::getInstance()->getLinkRenderer();
			return $linkRenderer->makeKnownLink( $title, $msg, $attrs, $params );
		} else {
			return Linker::linkKnown( $title, $msg, $attrs, $params );
		}

LinkRenderer will HTML escape $msg, but Linker will not. So on older MW versions this could potentially cause an XSS if developers assume that it will be escaped properly.

Probably the best fix would be to be consistent and not HTML escape in the LinkRenderer case by using HtmlArmor, and ensure that all callers do HTML escaping.

I noticed this while investigating a phan-taint-check-plugin error.

Related Objects

Event Timeline

Legoktm created this task.Aug 20 2018, 12:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 20 2018, 12:28 AM
Legoktm added a project: MediaWiki-extensions-AdminLinks.Aug 20 2018, 12:29 AM
Legoktm added a subscriber: Yaron_Koren.
Legoktm added a project: MediaWiki-extensions-Cargo.Aug 25 2018, 7:25 AM

This function seems to have been copied to Cargo and ApprovedRevs, though both of those are even more broken in different ways.

Legoktm added a comment.Aug 25 2018, 7:50 AM

Cargo:

0001-SECURITY-Escape-link-text-properly-to-prevent-XSS-at.patch5 KBDownload

I think this closes an XSS with the |more results text= parameter on pre-1.28 versions of MediaWiki.

AdminLinks:

0001-SECURITY-Escape-link-text-properly-to-prevent-XSS-at.patch2 KBDownload

Note that I could not find a single caller of ALItem::newFromPage(), so I assumed that $desc was not escaped, like newFromEditLink and newFromExternalLink. Worst case some text will be double escaped instead of being under escaped.

ApprovedRevs:

0001-SECURITY-Escape-link-text-properly-to-prevent-XSS-at.patch3 KBDownload

Legoktm added a project: Patch-For-Review.Aug 25 2018, 7:50 AM
Aklapper added a comment.Sep 25 2019, 2:25 PM

@Yaron_Koren: Any comments on the patches attached here?

Yaron_Koren added a comment.Sep 27 2019, 11:35 AM

@Aklapper - sorry for not responding here before. I believe I took care of the Cargo patch with the commits 9b8d3a0a2d10 and 3407fb767040. I still need to take care of the Approved Revs and Admin Links patches.

Yaron_Koren edited projects, added MediaWiki-extensions-Approved-Revs; removed MediaWiki-extensions-Cargo.Sep 27 2019, 11:35 AM
sbassett triaged this task as High priority.Sep 27 2019, 1:22 PM
Yaron_Koren mentioned this in rEADLfb0c02edafdf: Improve link escaping - patch by Legoktm (T202246).Sep 29 2019, 5:01 PM
Yaron_Koren closed this task as Resolved.Sep 30 2019, 7:04 PM
Yaron_Koren claimed this task.

Okay, I believe all three patches are now merged in. In the case of Approved Revs, the code checked in was simpler than the original patch because support for MW < 1.28 was removed, soon after the original patches were created.

Yaron_Koren added a comment.Sep 30 2019, 7:05 PM

I forgot to say - thank you, @Legoktm, for your help with improving the security of all three extensions.

sbassett subscribed.Sep 30 2019, 7:57 PM

@Yaron_Koren - we can make this task public now, no? Given that all of the outstanding security issues have been patched?

Yaron_Koren added a comment.Sep 30 2019, 8:44 PM

Sure.

sbassett removed a project: Patch-For-Review.Sep 30 2019, 9:00 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL