Page MenuHomePhabricator
Create Task
Maniphest T202377

Add phan-taint-check-plugin to CheckUser extension
Closed, ResolvedPublic
Actions

Description

Would be nice to add phan-taint-check-plugin to CheckUser extensions

<?xml version="1.0" encoding="ISO-8859-15"?>
<checkstyle version="6.5">
  <file name="./includes/specials/SpecialCheckUser.php">
    <error line="766" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialCheckUser::doIPEditsRequest that outputs using tainted argument $s. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./includes/specials/SpecialCheckUser.php +760; ./includes/specials/SpecialCheckUser.php +763; ./includes/specials/SpecialCheckUser.php +766)" source="SecurityCheck-XSS"/>
    <error line="868" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialCheckUser::doUserEditsRequest that outputs using tainted argument $s. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./includes/specials/SpecialCheckUser.php +858; ./includes/specials/SpecialCheckUser.php +855; ./includes/specials/SpecialCheckUser.php +860; ./includes/specials/SpecialCheckUser.php +864; ./includes/specials/SpecialCheckUser.php +866)" source="SecurityCheck-XSS"/>
    <error line="901" severity="warning" message="Calling method \OutputPage::addHTML() in \SpecialCheckUser::doUserEditsRequest that outputs using tainted argument $html. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./includes/specials/SpecialCheckUser.php +896; ./includes/specials/SpecialCheckUser.php +898)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>

The issue is in CUChangesLine, but I cannot find the line in this string concat

Details

Related Gerrit Patches:
integration/config : masterseccheck for CheckUser and CirrusSearch

Related Objects
Search...

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 21 2018, 11:19 AM
gerritbot added a subscriber: gerritbot.Aug 30 2018, 6:59 AM

Change 456337 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[integration/config@master] seccheck for CheckUser and CirrusSearch

https://gerrit.wikimedia.org/r/456337

gerritbot added a comment.Aug 30 2018, 7:01 AM

Change 456337 merged by jenkins-bot:
[integration/config@master] seccheck for CheckUser and CirrusSearch

https://gerrit.wikimedia.org/r/456337

Legoktm closed this task as Resolved.Aug 30 2018, 7:15 AM
Legoktm claimed this task.
sbassett triaged this task as Medium priority.Oct 15 2019, 7:35 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL