Page MenuHomePhabricator
Create Task
Maniphest T229541

Javascript injection in edit summary on mobile site (CVE-2019-14807)
Closed, ResolvedPublic
Actions

Description

See https://zh.m.wikipedia.org/wiki/Special:%E7%94%A8%E6%88%B7%E8%B4%A1%E7%8C%AE/A2093064-test
Caused by this edit https://zh.wikipedia.org/w/index.php?title=Wikipedia:%E6%B2%99%E7%9B%92&diff=55464131&oldid=55464121

Details

SubjectRepoBranchLines +/-
SECURITY: escape edit summaries in feed pagesmediawiki/extensions/MobileFrontendREL1_31+2 -1
SECURITY: escape edit summaries in feed pagesmediawiki/extensions/MobileFrontendREL1_32+2 -1
SECURITY: escape edit summaries in feed pagesmediawiki/extensions/MobileFrontendREL1_33+2 -1
SECURITY: escape edit summaries in feed pagesmediawiki/extensions/MobileFrontendmaster+2 -1
Customize query in gerrit

Related Objects

Event Timeline

Xiplus created this task.Aug 1 2019, 3:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 1 2019, 3:35 AM
MaxSem triaged this task as Unbreak Now! priority.Aug 1 2019, 7:15 AM
MaxSem added projects: MobileFrontend, Vuln-XSS.
MaxSem subscribed.

Proposed patch:

T229541.patch1 KBDownload

This sounds like it needs a CVE?

sbassett subscribed.Aug 1 2019, 2:03 PM

Looking at this - the XSS only appears to render for me within the first URL. I assume the second URL was provided just to show the diff?

@MaxSem - patch looks sane, going to test it locally now. Trying to think of the best time to security-deploy this. Maybe after the group2 train today but before evening SWAT? Or maybe during the SWAT? Not sure what the protocol is re: security patches getting deployed during SWATs.

Xiplus added a comment.Aug 1 2019, 2:04 PM
In T229541#5384387, @sbassett wrote:

I assume the second URL was provided just to show the diff?

Yes.

Xiplus updated the task description. (Show Details)Aug 1 2019, 2:10 PM
MarcoAurelio subscribed.Aug 1 2019, 5:58 PM
tstarling subscribed.Aug 2 2019, 12:50 AM

Patch reviewed, looks good to me.

sbassett added a comment.Aug 2 2019, 6:34 PM

Note: I plan to security-deploy @MaxSem's patch from T229541#5383474 this afternoon (Aug 2nd) and provide another update here.

sbassett mentioned this in T225152: Tracking bug for MediaWiki 1.31.4/1.32.4/1.33.1 security release.Aug 2 2019, 8:56 PM
sbassett added a parent task: T225152: Tracking bug for MediaWiki 1.31.4/1.32.4/1.33.1 security release.Aug 2 2019, 8:58 PM
sbassett lowered the priority of this task from Unbreak Now! to High.Aug 2 2019, 9:08 PM
sbassett added a subscriber: Reedy.

Update:

  1. Patch deployed and tested: the above URL no longer renders an XSS for me.
  2. Added this bug to the next security release tracking bug as a sub-task: T225152. I need to double-check w/ @Reedy how we normally do this for deployed extensions. I know that the security release tracking bug is the normal path towards requesting/issuing CVEs, but I know we sometimes just backport as necessary in gerrit for extensions. I'll keep this bug private until I know what to do here.
Reedy added a comment.EditedAug 2 2019, 9:11 PM

We don’t bundle MF so we don’t need to tag it to the next MW release

We can get a CVE for it though if we want

When it’s deployed in production we can just put the patch into master so it will ride the train for new branches. Can even cherry pick to branches and redeploy to make things consistent if you want

sbassett removed a parent task: T225152: Tracking bug for MediaWiki 1.31.4/1.32.4/1.33.1 security release.Aug 2 2019, 9:14 PM

@Reedy - ok, thanks. I removed it from T225152. I'll plan to backport in gerrit to master and any necessary MF release branches.

Reedy added a comment.Aug 2 2019, 10:14 PM

Ah yeah, forgot about that. Backporting to supported branches is good :)

sbassett added a subscriber: MoritzMuehlenhoff.Aug 9 2019, 4:07 PM

Update (I was on vacation earlier this week, just getting back to this):

  1. After chatting w/ @MoritzMuehlenhoff, I've gone ahead and requested a CVE for this vulnerability. I'm not sure we've consistently done this in the past for various MediaWiki extensions (at least for deployed and/or bundled extensions), though I'd like to start doing this on a more consistent basis going forward, perhaps even training other foundation/community folks on the process.
  2. Once I receive confirmation from Mitre of the CVE id, I'll plan to make this task public and backport in gerrit to the 1.31, 1.32 and 1.33 release branches and master, per the current version lifecycle.
  3. I'm not certain any additional communication is warranted here. Posts to phame, wikitech-l, etc. potentially seem to be a little overkill for issues like this and not what's been done in the past. Perhaps the Security-Team should further discuss what might be appropriate messaging for these kinds of vulnerabilities.
sbassett added a comment.Aug 9 2019, 5:54 PM

Update: CVE-2019-14807

MarcoAurelio added a comment.Aug 9 2019, 5:57 PM

Was the patch that we applied directly in production uploaded to gerrit and backported to supported branched already?

sbassett added a comment.Aug 9 2019, 5:59 PM

@MarcoAurelio - no, was going to start that process now. Wanted to wait until we had a confirmed CVE id.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 9 2019, 6:23 PM
Restricted Application added a subscriber: Stang. · View Herald TranscriptAug 9 2019, 6:23 PM
gerritbot added a comment.Aug 9 2019, 6:24 PM

Change 529407 had a related patch set uploaded (by SBassett; owner: MaxSem):
[mediawiki/extensions/MobileFrontend@master] SECURITY: escape edit summaries in feed pages

https://gerrit.wikimedia.org/r/529407

gerritbot added a project: Patch-For-Review.Aug 9 2019, 6:24 PM
gerritbot added a comment.Aug 9 2019, 6:30 PM

Change 529410 had a related patch set uploaded (by SBassett; owner: MaxSem):
[mediawiki/extensions/MobileFrontend@REL1_33] SECURITY: escape edit summaries in feed pages

https://gerrit.wikimedia.org/r/529410

gerritbot added a comment.Aug 9 2019, 6:31 PM

Change 529411 had a related patch set uploaded (by SBassett; owner: MaxSem):
[mediawiki/extensions/MobileFrontend@REL1_32] SECURITY: escape edit summaries in feed pages

https://gerrit.wikimedia.org/r/529411

gerritbot added a comment.Aug 9 2019, 6:32 PM

Change 529412 had a related patch set uploaded (by SBassett; owner: MaxSem):
[mediawiki/extensions/MobileFrontend@REL1_31] SECURITY: escape edit summaries in feed pages

https://gerrit.wikimedia.org/r/529412

sbassett mentioned this in T230234: Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check.Aug 9 2019, 7:19 PM
gerritbot added a comment.Aug 9 2019, 7:36 PM

Change 529407 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] SECURITY: escape edit summaries in feed pages

https://gerrit.wikimedia.org/r/529407

Aklapper renamed this task from Javascript injection in edit summary on mobile site to Javascript injection in edit summary on mobile site (CVE-2019-14807).Aug 10 2019, 1:23 PM
gerritbot added a comment.Aug 12 2019, 1:59 AM

Change 529412 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_31] SECURITY: escape edit summaries in feed pages

https://gerrit.wikimedia.org/r/529412

gerritbot added a comment.Aug 12 2019, 2:01 AM

Change 529411 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_32] SECURITY: escape edit summaries in feed pages

https://gerrit.wikimedia.org/r/529411

gerritbot added a comment.Aug 12 2019, 2:01 AM

Change 529410 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_33] SECURITY: escape edit summaries in feed pages

https://gerrit.wikimedia.org/r/529410

sbassett removed a project: Patch-For-Review.Aug 12 2019, 2:03 AM
sbassett closed this task as Resolved.Aug 14 2019, 3:10 PM
sbassett claimed this task.

I don't believe there's anything else to do here for now.

sbassett mentioned this in T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124).Aug 15 2019, 8:32 PM
ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.20; 2019-08-27).Aug 20 2019, 4:01 PM
sbassett mentioned this in T232113: Write and send supplementary release announcement for extensions with security patches (MediaWiki 1.31.4/1.32.4/1.33.1).Sep 5 2019, 3:38 PM
chasemp added a project: Security.Feb 10 2020, 10:54 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Stang unsubscribed.Nov 13 2021, 8:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL