Looking at this - the XSS only appears to render for me within the first URL. I assume the second URL was provided just to show the diff?
@MaxSem - patch looks sane, going to test it locally now. Trying to think of the best time to security-deploy this. Maybe after the group2 train today but before evening SWAT? Or maybe during the SWAT? Not sure what the protocol is re: security patches getting deployed during SWATs.
- Patch deployed and tested: the above URL no longer renders an XSS for me.
- Added this bug to the next security release tracking bug as a sub-task: T225152. I need to double-check w/ @Reedy how we normally do this for deployed extensions. I know that the security release tracking bug is the normal path towards requesting/issuing CVEs, but I know we sometimes just backport as necessary in gerrit for extensions. I'll keep this bug private until I know what to do here.
We don’t bundle MF so we don’t need to tag it to the next MW release
We can get a CVE for it though if we want
When it’s deployed in production we can just put the patch into master so it will ride the train for new branches. Can even cherry pick to branches and redeploy to make things consistent if you want
Update (I was on vacation earlier this week, just getting back to this):
- After chatting w/ @MoritzMuehlenhoff, I've gone ahead and requested a CVE for this vulnerability. I'm not sure we've consistently done this in the past for various MediaWiki extensions (at least for deployed and/or bundled extensions), though I'd like to start doing this on a more consistent basis going forward, perhaps even training other foundation/community folks on the process.
- Once I receive confirmation from Mitre of the CVE id, I'll plan to make this task public and backport in gerrit to the 1.31, 1.32 and 1.33 release branches and master, per the current version lifecycle.
- I'm not certain any additional communication is warranted here. Posts to phame, wikitech-l, etc. potentially seem to be a little overkill for issues like this and not what's been done in the past. Perhaps the Security-Team should further discuss what might be appropriate messaging for these kinds of vulnerabilities.