Page MenuHomePhabricator

Parameters to Special:Code allows to prefill the textarea for a comment reply with unsafe user input
Closed, ResolvedPublic

Description

While adding missing class properties to the CodeReview extension [1] the seccheck run was failing due to limitation about undeclared properties in taint-check-plugin (T216254).

I have then searched for the issue reported by seccheck in [2]. It is not possible for me to let the plugin run locally due to very old requirements to run it.

I have found the problem for seccheck and fixed it in [2]. I have keep the commit message neutral.

The issue found by taint-check-plugin is, that the value of request parameter wpReply{$this->mReplyTarget} is stored in the constructor to the class property $text. Later on the class property is used to build a <textarea> field in html, but the text is not added escaped to the html. When the text contains the closing </textarea> tag it could be possible to add a script or other tags to the page. I have not tested it or build up a prototyp.

On mw.org Special:Code is in read-only so there is no vector to inject bad html, but the patch set needs to merged to fix it.

Please have a look. Thanks.

[1] https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/CodeReview/+/513189/
[2] https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/CodeReview/+/513594/


Ping T205482.