Page MenuHomePhabricator
Create Task
Maniphest T203281

phan-taint-check regression in LiquidThreads
Closed, ResolvedPublic
Actions

Description

Using 1.4.0:

<checkstyle version="6.5">
  <file name="./api/ApiQueryLQTThreads.php">
    <error line="248" severity="warning" message="Calling method \OutputPage::addHTML() in \ApiQueryLQTThreads::renderThread that outputs using tainted argument $oldOutputText. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./api/ApiQueryLQTThreads.php +211)" source="SecurityCheck-XSS"/>
  </file>
  <file name="./api/ApiThreadAction.php">
    <error line="606" severity="warning" message="Calling method \OutputPage::addHTML() in \ApiThreadAction::renderThreadPostAction that outputs using tainted argument $oldOutputText. (Caused by: Builtin-\OutputPage::addHTML) (Caused by: ./api/ApiThreadAction.php +592)" source="SecurityCheck-XSS"/>
  </file>
</checkstyle>

Both cases are basically using OutputPage as an output buffer:

		// Set up OutputPage
		$out = $this->getOutput();
		$oldOutputText = $out->getHTML();
		$out->clearHTML();

		...

		$result = $out->getHTML();
		$out->clearHTML();
		$out->addHTML( $oldOutputText );

Related Objects

Event Timeline

Legoktm created this task.Aug 31 2018, 8:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 31 2018, 8:42 PM
Umherirrender mentioned this in T203690: phan-taint-check-plugin failing for LiquidThreads extension.Sep 6 2018, 4:16 PM
Bawolff closed this task as Resolved.Sep 8 2018, 3:20 AM
Bawolff claimed this task.

This was fixed by suppressing the errors. See T203690

The errors do make sense though kind of, If anyone outputted anything XSS-y (in another extension, or in MW core, due to say a false positive), then getHtml() should be considered tainted, and putting it back into addHtml() should be considered an xss

sbassett moved this task from Backlog to Done on the phan-taint-check-plugin board.Oct 15 2019, 7:04 PM
sbassett triaged this task as Medium priority.Oct 15 2019, 7:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits