Page MenuHomePhabricator
Create Task
Maniphest T202797

phan-taint-check-plugin false positive in Linker::formatLinksInComment()
Closed, ResolvedPublic
Actions

Description

Filing as a security out of caution.

I spent a while trying to track down the final phan-taint-check-plugin failures in CheckUser, and tracked it down to Linker::formatLinksInComment(). I wasn't really able to narrow it down farther than that, it seemed to be complaining about the regex itself. I would appreciate a review of the function by someone other than myself before I add @return-taint escaped to it.

This is a false positive in the plugin.

Details

SubjectRepoBranchLines +/-
Change @return-taint to use onlysafefor_html instad of escapes_htmlmediawiki/coremaster+1 -1
Linker: Add @return-taint for formatLinksInComment()mediawiki/coremaster+2 -1
Customize query in gerrit

Event Timeline

Legoktm created this task.Aug 25 2018, 5:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 25 2018, 5:52 AM
Legoktm added projects: MediaWiki-General, phan-taint-check-plugin.Aug 25 2018, 5:52 AM
Legoktm added a parent task: T202377: Add phan-taint-check-plugin to CheckUser extension.
Legoktm added subscribers: Bawolff, Umherirrender.
Umherirrender moved this task from Backlog to MediaWiki mode on the phan-taint-check-plugin board.Aug 25 2018, 9:10 AM
Legoktm added a comment.Aug 30 2018, 5:03 AM

Spoke with @Bawolff on IRC, this isn't a security issue, it's a false positive in the plugin.

Legoktm renamed this task from phan-taint-check-plugin is reporting an XSS issue in Linker::formatLinksInComment() to phan-taint-check-plugin false positive in Linker::formatLinksInComment().Aug 30 2018, 5:04 AM
Legoktm removed a project: acl*security.
Legoktm updated the task description. (Show Details)
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Restricted Application added a project: acl*security. · View Herald TranscriptAug 30 2018, 5:04 AM
Legoktm removed a project: acl*security.Aug 30 2018, 5:04 AM
gerritbot subscribed.Aug 30 2018, 5:09 AM

Change 456332 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] Linker: Add @return-taint for formatLinksInComment()

https://gerrit.wikimedia.org/r/456332

gerritbot added a project: Patch-For-Review.Aug 30 2018, 5:09 AM
gerritbot added a comment.Aug 30 2018, 5:45 AM

Change 456332 merged by jenkins-bot:
[mediawiki/core@master] Linker: Add @return-taint for formatLinksInComment()

https://gerrit.wikimedia.org/r/456332

Legoktm removed a parent task: T202377: Add phan-taint-check-plugin to CheckUser extension.Aug 30 2018, 5:55 AM
ReleaseTaggerBot added a project: MW-1.32-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)).Aug 30 2018, 6:00 AM
gerritbot added a comment.Aug 31 2018, 9:49 AM

Change 456582 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@master] Change @return-taint to use onlysafefor_html instad of escapes_html

https://gerrit.wikimedia.org/r/456582

gerritbot added a comment.Aug 31 2018, 7:14 PM

Change 456582 merged by jenkins-bot:
[mediawiki/core@master] Change @return-taint to use onlysafefor_html instad of escapes_html

https://gerrit.wikimedia.org/r/456582

Bawolff closed this task as Resolved.Sep 4 2018, 9:31 AM
Bawolff claimed this task.
sbassett moved this task from MediaWiki mode to Done on the phan-taint-check-plugin board.Oct 15 2019, 6:53 PM
Maintenance_bot removed a project: Patch-For-Review.Oct 15 2019, 7:12 PM
sbassett triaged this task as Medium priority.Oct 15 2019, 7:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL