Description
Details
Related Objects
- Mentioned In
- T232113: Write and send supplementary release announcement for extensions with security patches (MediaWiki 1.31.4/1.32.4/1.33.1)
T230576: XSS in edit summary for ex:MobileFrontend Special:Watchlist (CVE-2019-15124)
T230234: Sanitizer::stripAllTags() causing double-escape false positive from phan-taint-check
T225152: Tracking bug for MediaWiki 1.31.4/1.32.4/1.33.1 security release - Mentioned Here
- T225152: Tracking bug for MediaWiki 1.31.4/1.32.4/1.33.1 security release
Event Timeline
Looking at this - the XSS only appears to render for me within the first URL. I assume the second URL was provided just to show the diff?
@MaxSem - patch looks sane, going to test it locally now. Trying to think of the best time to security-deploy this. Maybe after the group2 train today but before evening SWAT? Or maybe during the SWAT? Not sure what the protocol is re: security patches getting deployed during SWATs.
Note: I plan to security-deploy @MaxSem's patch from T229541#5383474 this afternoon (Aug 2nd) and provide another update here.
Update:
- Patch deployed and tested: the above URL no longer renders an XSS for me.
- Added this bug to the next security release tracking bug as a sub-task: T225152. I need to double-check w/ @Reedy how we normally do this for deployed extensions. I know that the security release tracking bug is the normal path towards requesting/issuing CVEs, but I know we sometimes just backport as necessary in gerrit for extensions. I'll keep this bug private until I know what to do here.
We don’t bundle MF so we don’t need to tag it to the next MW release
We can get a CVE for it though if we want
When it’s deployed in production we can just put the patch into master so it will ride the train for new branches. Can even cherry pick to branches and redeploy to make things consistent if you want
Update (I was on vacation earlier this week, just getting back to this):
- After chatting w/ @MoritzMuehlenhoff, I've gone ahead and requested a CVE for this vulnerability. I'm not sure we've consistently done this in the past for various MediaWiki extensions (at least for deployed and/or bundled extensions), though I'd like to start doing this on a more consistent basis going forward, perhaps even training other foundation/community folks on the process.
- Once I receive confirmation from Mitre of the CVE id, I'll plan to make this task public and backport in gerrit to the 1.31, 1.32 and 1.33 release branches and master, per the current version lifecycle.
- I'm not certain any additional communication is warranted here. Posts to phame, wikitech-l, etc. potentially seem to be a little overkill for issues like this and not what's been done in the past. Perhaps the Security-Team should further discuss what might be appropriate messaging for these kinds of vulnerabilities.
Was the patch that we applied directly in production uploaded to gerrit and backported to supported branched already?
@MarcoAurelio - no, was going to start that process now. Wanted to wait until we had a confirmed CVE id.
Change 529407 had a related patch set uploaded (by SBassett; owner: MaxSem):
[mediawiki/extensions/MobileFrontend@master] SECURITY: escape edit summaries in feed pages
Change 529410 had a related patch set uploaded (by SBassett; owner: MaxSem):
[mediawiki/extensions/MobileFrontend@REL1_33] SECURITY: escape edit summaries in feed pages
Change 529411 had a related patch set uploaded (by SBassett; owner: MaxSem):
[mediawiki/extensions/MobileFrontend@REL1_32] SECURITY: escape edit summaries in feed pages
Change 529412 had a related patch set uploaded (by SBassett; owner: MaxSem):
[mediawiki/extensions/MobileFrontend@REL1_31] SECURITY: escape edit summaries in feed pages
Change 529407 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@master] SECURITY: escape edit summaries in feed pages
Change 529412 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_31] SECURITY: escape edit summaries in feed pages
Change 529411 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_32] SECURITY: escape edit summaries in feed pages
Change 529410 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_33] SECURITY: escape edit summaries in feed pages