Page MenuHomePhabricator
Create Task
Maniphest T203210

Extension:RSS shouldn't invent its own way to escape and parse things
Open, MediumPublic
Actions

Description

phan-taint-check-plugin claims there is an XSS issue in RSS, but I think it's simply unable to understand all the custom parsing/escaping that RSSParser.php is doing. I don't think there's any reason for it to re-invent the wheel either. For example the rationale for not using wfEscapeWikitext() is outdated/wrong.

Related:

Related Objects

Event Timeline

Legoktm created this task.Aug 31 2018, 4:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 31 2018, 4:03 AM
Legoktm mentioned this in T201108: Raw HTML message in RSS extension.Aug 31 2018, 4:04 AM
Bawolff added a project: phan-taint-check-plugin.Aug 31 2018, 6:37 AM
Legoktm moved this task from Backlog to Wikimedia deployed on the phan-taint-check-plugin board.Sep 1 2018, 10:36 PM
chasemp triaged this task as Medium priority.Dec 9 2019, 4:50 PM
chasemp added a project: Security-Team.
chasemp moved this task from Incoming to Back Orders on the Security-Team board.Dec 23 2019, 5:16 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
Daimona removed a project: phan-taint-check-plugin.Jul 6 2020, 11:54 AM
Umherirrender added a comment.Nov 20 2020, 2:55 PM

One issue seems fixed with newer taint - https://gerrit.wikimedia.org/r/c/mediawiki/extensions/RSS/+/642406

Umherirrender unsubscribed.Feb 27 2021, 10:05 PM
Reedy removed a project: Security-Team.Nov 3 2021, 7:15 PM
Legoktm mentioned this in T307028: XSS in Extension:RSS when $wgRSSAllowLinkTag = true (CVE-2022-29969).Apr 27 2022, 5:57 PM
Ernstkm subscribed.Mar 17 2024, 3:56 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits