Page MenuHomePhabricator

Parameters to Special:Code allows to prefill the textarea for a comment reply with unsafe user input
Closed, ResolvedPublic

Description

While adding missing class properties to the CodeReview extension [1] the seccheck run was failing due to limitation about undeclared properties in taint-check-plugin (T216254).

I have then searched for the issue reported by seccheck in [2]. It is not possible for me to let the plugin run locally due to very old requirements to run it.

I have found the problem for seccheck and fixed it in [2]. I have keep the commit message neutral.

The issue found by taint-check-plugin is, that the value of request parameter wpReply{$this->mReplyTarget} is stored in the constructor to the class property $text. Later on the class property is used to build a <textarea> field in html, but the text is not added escaped to the html. When the text contains the closing </textarea> tag it could be possible to add a script or other tags to the page. I have not tested it or build up a prototyp.

On mw.org Special:Code is in read-only so there is no vector to inject bad html, but the patch set needs to merged to fix it.

Please have a look. Thanks.

[1] https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/CodeReview/+/513189/
[2] https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/CodeReview/+/513594/


Ping T205482.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2019, 6:34 PM
Krinkle updated the task description. (Show Details)Jun 10 2019, 8:08 PM
sbassett triaged this task as Normal priority.Jun 13 2019, 9:31 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

Change 513594 merged by jenkins-bot:
[mediawiki/extensions/CodeReview@master] Move escaping in postCommentForm closer to output

https://gerrit.wikimedia.org/r/513594

Reedy closed this task as Resolved.Jun 13 2019, 10:11 PM
Reedy assigned this task to Umherirrender.