Page MenuHomePhabricator

OAuth extension needs phan-taint-check update to version 1.3.0
Closed, ResolvedPublic

Description

OAuth update to taint-check 1.3.0 gives new issues, where it is not easy to find the problem.

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./frontend/MWOAuthUI.hooks.php">
    <error line="84" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\MWOAuthUIHooks::onMessagesPreLoad that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="89" severity="warning" message="Calling method \wfEscapeWikiText() in \MediaWiki\Extensions\OAuth\MWOAuthUIHooks::onMessagesPreLoad that outputs using tainted argument $[arg #1]. (Caused by: ../../includes/GlobalFunctions.php +1639)" source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./frontend/specialpages/SpecialMWOAuthConsumerRegistration.php">
    <error line="469" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthConsumerRegistration::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="470" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthConsumerRegistration::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="480" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthConsumerRegistration::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="485" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthConsumerRegistration::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="487" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthConsumerRegistration::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./frontend/specialpages/SpecialMWOAuthListConsumers.php">
    <error line="244" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthListConsumers::formatRow that outputs using tainted argument $name." source="SecurityCheck-DoubleEscaped"/>
    <error line="248" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthListConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="249" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthListConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="252" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthListConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="257" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthListConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="260" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthListConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./frontend/specialpages/SpecialMWOAuthManageConsumers.php">
    <error line="247" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers::handleConsumerForm that outputs using tainted argument $owner." source="SecurityCheck-DoubleEscaped"/>
    <error line="428" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="429" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="434" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="437" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="442" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="443" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageConsumers::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
  </file>
  <file name="./frontend/specialpages/SpecialMWOAuthManageMyGrants.php">
    <error line="288" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageMyGrants::formatRow that outputs using tainted argument $[arg #1]." source="SecurityCheck-DoubleEscaped"/>
    <error line="302" severity="warning" message="Calling method \htmlspecialchars() in \MediaWiki\Extensions\OAuth\SpecialMWOAuthManageMyGrants::formatRow that outputs using tainted argument $val." source="SecurityCheck-DoubleEscaped"/>
  </file>
</checkstyle>

Please have a look and update the extension

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 21 2018, 8:13 AM
Umherirrender renamed this task from OAuth extension needs update to version 1.3.0 to OAuth extension needs phan-taint-check update to version 1.3.0.Aug 21 2018, 8:14 AM
Legoktm claimed this task.Sep 1 2018, 6:21 PM
Legoktm added a subscriber: Legoktm.

I tracked this down last night, there's a super convoluted code flow of returning a Message object without setting an output format (return $context->msg(...)) and then later on some code runs htmlspecialchars() over it so it uses the default output format of ->escaped() causing the double escaping issue.

Change 456905 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/extensions/OAuth@master] build: Updating mediawiki/phan-taint-check-plugin to 1.5.0

https://gerrit.wikimedia.org/r/456905

Change 456905 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] build: Updating mediawiki/phan-taint-check-plugin to 1.5.0

https://gerrit.wikimedia.org/r/456905

Legoktm closed this task as Resolved.Sep 13 2018, 5:04 AM