Page MenuHomePhabricator
Create Task
Maniphest T240502

Raw HTML in MobileFrontend
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

The following interface messages seem to be treated as raw HTML in MobileFrontend, but aren't listed in RawHtmlMessages:

mobile-frontend-categories-add-heading
mobile-frontend-categories-add-wait
mobile-frontend-categories-heading
mobile-frontend-changeslist-nocomment
mobile-frontend-contributions-404-desc
mobile-frontend-editor-anonwarning
mobile-frontend-editor-editing-page
mobile-frontend-editor-licensing-with-terms
mobile-frontend-editor-previewing-page
mobile-frontend-editor-summary
mobile-frontend-editor-summary-request
mobile-frontend-editor-wait
mobile-frontend-talk-add-overlay-submit
mobile-frontend-talk-topic-wait

There are probably more. I created this list by adding an <img> to every single MediaWiki page corresponding to the MobileFrontend /i18n/en.json, randomly clicking on buttons in the mobile editor, then grepping apache logs for .jpg requests. I'm sure I haven't displayed everything, yet.

MobileFrontend may also be treating some non-MF interface messages as HTML; I haven't looked yet.

Developer notes

https://www.mediawiki.org/wiki/Manual:$wgRawHtmlMessages/en

Details

SubjectRepoBranchLines +/-
List known raw html messagesmediawiki/extensions/MobileFrontendREL1_32+17 -0
List known raw html messagesmediawiki/extensions/MobileFrontendREL1_31+17 -0
List known raw html messagesmediawiki/extensions/MobileFrontendREL1_34+15 -1
List known raw html messagesmediawiki/extensions/MobileFrontendREL1_33+17 -0
List known raw html messagesmediawiki/extensions/MobileFrontendmaster+15 -1
List known raw html messagesmediawiki/extensions/MobileFrontendwmf/1.35.0-wmf.11+15 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

suffusion_of_yellow created this task.Dec 11 2019, 8:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 11 2019, 8:32 PM
suffusion_of_yellow mentioned this in T240487: XSS in MinervaNeue skin (CVE-2019-19910).Dec 11 2019, 8:33 PM
suffusion_of_yellow added a project: MobileFrontend.Dec 11 2019, 8:35 PM
Urbanecm triaged this task as High priority.Dec 11 2019, 9:46 PM
Urbanecm added a subscriber: Florian.
Urbanecm added subscribers: ovasileva, Jdlrobson, nray, phuedx.Dec 11 2019, 9:51 PM
Jdlrobson added a project: Web-Team-Backlog (Kanbanana-2019-20-Q2).Dec 12 2019, 11:36 PM
Jdlrobson added a subscriber: pmiazga.Dec 12 2019, 11:42 PM
sbassett moved this task from Backlog / Other to Other WMF team on the acl*security board.Dec 13 2019, 8:28 PM
Jdlrobson updated the task description. (Show Details)Dec 18 2019, 5:28 PM
Jdlrobson added subscribers: Niedzielski, Jdrewniak.Dec 18 2019, 5:31 PM
ovasileva set the point value for this task to 3.Dec 18 2019, 5:36 PM
ovasileva moved this task from Needs Analysis to Ready for Development on the Web-Team-Backlog (Kanbanana-2019-20-Q2) board.
nray claimed this task.Dec 18 2019, 7:41 PM
nray moved this task from Ready for Development to Doing on the Web-Team-Backlog (Kanbanana-2019-20-Q2) board.
nray added a comment.Dec 19 2019, 7:31 PM

Attached is the patch to add all of the listed messages + 1 other one in the RawHtmlMessages array. I'm not sure if putting the patch here matters since I already screwed up (I think) and pushed the patch to gerrit (https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/MobileFrontend/+/559557/) before realizing this task was set to hidden. I'll try to be much more careful about this in the future.

T240502.patch1 KBDownload

sbassett added subscribers: Reedy, sbassett.Dec 19 2019, 9:27 PM

@nray - Yep, once it goes to gerrit or a public Phab task, it's there forever unless an appropriately-privileged user completely removes it. Though even in that case, it's still been publicly-exposed for a while. We all make mistakes though :) And this probably isn't quite as critical IMO since I believe this issue is only exploitable by sysops/editinterface users right now, so at least somewhat-trusted users. If you want to update your gerrit patch set soon to the appropriate revision of extension.json and let CI run (it'd be nice to prevent any unintended brokenness via tests), @Reedy or I can +2 and deploy today, which we probably should.

nray added a comment.Dec 19 2019, 9:36 PM

@sbassett gerrit patch has now been updated at https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/MobileFrontend/+/559557/ and ready to be deployed. Thank you!

sbassett added a comment.Dec 19 2019, 11:00 PM

Patch merged on master and wmf.11 and deployed to production. Backports to release branches can happen tomorrow (or later), I doubt this needs a CVE as I view it more as code hardening, but I could probably be convinced otherwise.

sbassett mentioned this in T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).Dec 19 2019, 11:03 PM
nray removed nray as the assignee of this task.Dec 20 2019, 12:59 AM
nray moved this task from Doing to Ready for Signoff on the Web-Team-Backlog (Kanbanana-2019-20-Q2) board.
ovasileva edited projects, added Web-Team-Backlog (Kanbanana-2019-20-Q3); removed Web-Team-Backlog (Kanbanana-2019-20-Q2).Jan 6 2020, 7:17 PM
ovasileva moved this task from Needs Analysis to Ready for Signoff on the Web-Team-Backlog (Kanbanana-2019-20-Q3) board.
Jdlrobson added a comment.Jan 7 2020, 6:11 PM

@sbassett are you okay with me resolving this task or is there more to be done?

sbassett added a comment.Jan 7 2020, 6:37 PM

@Jdlrobson - it'd be nice to get backports to supported release branches completed - I can maybe get those started in gerrit now. I think we can make the task public now (since it's been patched and deployed within production) but I'd wait to resolve it if we can get the backports completed first.

sbassett lowered the priority of this task from High to Medium.Jan 7 2020, 6:37 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
gerritbot added a comment.Jan 7 2020, 6:42 PM

Change 562577 had a related patch set uploaded (by SBassett; owner: Nray):
[mediawiki/extensions/MobileFrontend@REL1_34] List known raw html messages

https://gerrit.wikimedia.org/r/562577

gerritbot added a project: Patch-For-Review.Jan 7 2020, 6:42 PM
gerritbot added a comment.Jan 7 2020, 6:56 PM

Change 562581 had a related patch set uploaded (by SBassett; owner: Nray):
[mediawiki/extensions/MobileFrontend@REL1_33] List known raw html messages

https://gerrit.wikimedia.org/r/562581

gerritbot added a comment.Jan 7 2020, 7:01 PM

Change 562582 had a related patch set uploaded (by SBassett; owner: Nray):
[mediawiki/extensions/MobileFrontend@REL1_32] List known raw html messages

https://gerrit.wikimedia.org/r/562582

gerritbot added a comment.Jan 7 2020, 7:02 PM

Change 562583 had a related patch set uploaded (by SBassett; owner: Nray):
[mediawiki/extensions/MobileFrontend@REL1_31] List known raw html messages

https://gerrit.wikimedia.org/r/562583

gerritbot added a comment.Jan 7 2020, 7:17 PM

Change 562581 merged by jenkins-bot:
[mediawiki/extensions/MobileFrontend@REL1_33] List known raw html messages

https://gerrit.wikimedia.org/r/562581

gerritbot added a comment.Jan 8 2020, 6:34 PM

Change 562577 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_34] List known raw html messages

https://gerrit.wikimedia.org/r/562577

gerritbot added a comment.Jan 14 2020, 4:48 PM

Change 562583 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_31] List known raw html messages

https://gerrit.wikimedia.org/r/562583

gerritbot added a comment.Jan 14 2020, 4:48 PM

Change 562582 merged by SBassett:
[mediawiki/extensions/MobileFrontend@REL1_32] List known raw html messages

https://gerrit.wikimedia.org/r/562582

sbassett closed this task as Resolved.Jan 14 2020, 4:49 PM
sbassett assigned this task to nray.
Maintenance_bot removed a project: Patch-For-Review.Jan 14 2020, 5:11 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
sbassett added a parent task: T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).Mar 10 2020, 2:15 PM
Jdlrobson edited projects, added MobileFrontend (MobileFrontend Special Pages); removed MobileFrontend.Jan 20 2022, 1:23 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL