Page MenuHomePhabricator
Create Task
Maniphest T240773

Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163)
Closed, ResolvedPublic
Actions

Description

Introduced in T235754: Implement haswbstatement:P<depicts>=Q<your term> autocomplete suggestions:

Details

SubjectRepoBranchLines +/-
Escape labels in HTML outputmediawiki/extensions/WikibaseMediaInfomaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bugreporter created this task.Dec 14 2019, 11:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 14 2019, 11:05 PM
Bugreporter added projects: WikibaseMediaInfo, Structured Data Engineering.Dec 14 2019, 11:06 PM
Restricted Application added a project: Structured-Data-Backlog. · View Herald TranscriptDec 14 2019, 11:06 PM
Bugreporter added subscribers: Ramsey-WMF, Keegan, PDrouin-WMF.Dec 14 2019, 11:07 PM

@matthiasmullie as the developer.

Bugreporter added a subscriber: matthiasmullie.Dec 14 2019, 11:08 PM
Bugreporter added a comment.Dec 16 2019, 8:06 PM

@matthiasmullie (probably the previous ping does not work)

Bugreporter added a comment.Dec 16 2019, 8:07 PM
This comment was removed by Bugreporter.
Bugreporter added a comment.Dec 16 2019, 8:08 PM

@Ramsey-WMF please see this

matthiasmullie claimed this task.Dec 16 2019, 8:10 PM
matthiasmullie edited projects, added Structured-Data-Backlog (Current Work); removed Structured-Data-Backlog.
Ramsey-WMF added a comment.Dec 16 2019, 8:16 PM

Looking into it.

Aklapper added a comment.Dec 16 2019, 8:17 PM

[@Bugreporter: Please stop pinging people one by one and creating notification emails for each comment. Thanks for your understanding.]

matthiasmullie moved this task from Incoming to Code Review on the Structured-Data-Backlog (Current Work) board.Dec 16 2019, 8:40 PM
sbassett moved this task from Backlog / Other to Other WMF team on the acl*security board.Dec 16 2019, 8:48 PM
sbassett added projects: Security-Team, Vuln-XSS.
sbassett moved this task from Incoming to Watching on the Security-Team board.
matthiasmullie moved this task from Code Review to Needs QA on the Structured-Data-Backlog (Current Work) board.Dec 17 2019, 5:03 PM
Ramsey-WMF moved this task from Needs QA to Verify on Production on the Structured-Data-Backlog (Current Work) board.Dec 17 2019, 5:34 PM
Reedy triaged this task as Medium priority.Dec 18 2019, 5:01 PM
matthiasmullie closed this task as Resolved.Jan 6 2020, 6:48 PM

This is now fixed - confirmed with example mentioned in task description.

sbassett subscribed.Jan 6 2020, 6:59 PM

@matthiasmullie - Is there a gerrit patch set or security patch we could reference here? Backports to supported release branches or a CVE? The Security-Team can help with the latter if need be. Thanks.

matthiasmullie added a comment.Jan 6 2020, 7:54 PM

Yes - not sure why gerritbot didn't pick it up, but here's the patch: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseMediaInfo/+/558203

sbassett added a comment.Jan 6 2020, 8:10 PM
In T240773#5779321, @matthiasmullie wrote:

Yes - not sure why gerritbot didn't pick it up, but here's the patch: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikibaseMediaInfo/+/558203

Thanks! gerritbot can't currently see security-protected Phab tasks.

sbassett added a comment.Jan 7 2020, 9:39 PM

So it doesn't look like templates/search/PropertySuggestionsWidget.mustache+dom existed in REL1_34 or previous, so no backports necessary. I'm going make the task public now and request a CVE.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 7 2020, 9:39 PM
sbassett moved this task from Other WMF team to Done on the acl*security board.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett renamed this task from Exposed HTML in WikibaseMediaInfo autocomplete suggestions to Exposed HTML in WikibaseMediaInfo autocomplete suggestions (CVE-2020-6163).Jan 8 2020, 6:18 PM
sbassett mentioned this in T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).Jan 8 2020, 6:29 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
sbassett added a parent task: T240400: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.7/1.33.3/1.34.1).Mar 10 2020, 2:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL