Page MenuHomePhabricator

Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled
Open, MediumPublic

Description

Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled

DISPLAYTITLE restrictions can be abused with css declarations such as font-size:0 , similar to display=none as was reported in T28547.

Propose disallowing all css declarations from the wikitext in to titles when $wgRestrictDisplayTitle is enabled

See also report on enwiki from user:InvalidOS here: https://en.wikipedia.org/w/index.php?title=Wikipedia:Administrators%27_noticeboard&oldid=894118189#Exploit_in_the_DISPLAYTITLE_behavior_switch_involving_html_tags

Details

Related Gerrit Patches:

Event Timeline

Xaosflux created this task.Apr 25 2019, 7:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 25 2019, 7:49 PM
Xaosflux renamed this task from Ignore css is displaytitle when $wgRestrictDisplayTitle is enabled to Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled.Apr 25 2019, 7:50 PM
Xaosflux updated the task description. (Show Details)
Izno added a subscriber: Izno.Apr 25 2019, 9:10 PM

All seems draconian seeing as there are many editors who put pretty colors on their user pages in the page title.

@Izno by default this isn't applied, only for projects that configure $wgRestrictDisplayTitle to be true

Pppery added a subscriber: Pppery.Apr 25 2019, 10:14 PM

I don't think that such an extreme measure is a good idea; many users (including me) use CSS displaytitles on their userpages. Perhaps a better idea would be to ignore specific CSS properties.

@Pppery note, mediawiki in general supports most anything in display title if you enable displaytitle, if you do then you can also optionally lock it down - this ticket is only about locking it down. Individual WMF projects can certainly pick to enable or not enable lockdown. Perhaps a tangential task would be for something like a parameter to enforce in , or exempt in certain namespaces (if you'd want to go that route please open a different task though).

Change 507176 had a related patch set uploaded (by Pppery; owner: Pppery):
[mediawiki/core@master] Ignore CSS in displaytitle when $wgRestrictDisplayTitle is set

https://gerrit.wikimedia.org/r/507176

Individual WMF projects can certainly pick to enable or not enable lockdown.

This is technically true, but disabling the lock-down has major security issues (as this task shows) and we should probably re-visit that.

The threat model here is kind of debatable. Its unclear what security goals we are trying to accomplish with the displaytitle restrictions, and thus I'm unsure (unsure in the sense of actually do not know, not unsure in the sense of disagreeing) if further restrictions on it are justified.

For example, one potential threat model is that its supposed to ensure if you copy and page the page header, links still work properly. In which case the font-size:0 does not violate that as you still can copy and paste the whole thing.

If the risk people on this bug are concerned about is phising - well would super restrictive displaytitle actually stop that? If people are looking at just the first header of the page, they're probably also easily going to be tricked by external sites, or just pages with look-alike titles

While I did use an example page that replicated the Bureaucrats' Noticeboard, I believe that the greatest problem caused by this is its usage for vandalism. Vandals have already used this to vandalize pages, mostly making page titles appear as words such as "shit" and "crap".

Jcross triaged this task as Medium priority.Oct 4 2019, 4:32 PM
Jcross moved this task from Incoming to Watching on the Security-Team board.