Page MenuHomePhabricator

Tilde stripping in signatures is inadequate
Open, Needs TriagePublic


Editors have been banned for using tides in their signatures (among other things):

The issue is that if you set your 'fancy' signature to ~~~~ it gets inserted literally in the output, and then the next editor to save the talk page gets *their* signature substituted, causing the evil editor's comments to be misattributed.

Code was added in 2006 to prevent this: 682e6e96e035e95dc44c8f17ce050bb7c16f60e2

But this is ineffective. For example consider the signature ~~{{subst:1x{{subst:1x|{{subst:!}}}}}}~~. This gets expanded on first save to ~~{{subst:1x|}}~~ which will then be treated as ~~~~ on a subsequent save (subst is handled before signature insertion).

This isn't really a security bug: we have a policy in place forbidding confusing signatures in general, and the original author is stored in the version history. But it is a case where our attempted sanitization is imperfect.


Related Gerrit Patches:

Event Timeline

cscott created this task.Aug 17 2019, 12:23 PM
Restricted Application added subscribers: Liuxinyu970226, Aklapper. · View Herald TranscriptAug 17 2019, 12:23 PM

Change 549953 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@master] [WIP] preferences: Prevent "nested" substitution in signature

matmarex claimed this task.Nov 9 2019, 12:36 AM