Page MenuHomePhabricator
Create Task
Maniphest T246602

makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960)
Closed, ResolvedPublicSecurity
Actions

Description

The code <span class="mw-collapsible" id="mw-customcollapsible-x,body">a</span>, when placed on a wiki page, causes the body element to undergo several changes: It has the mw-customtoggle class and tabindex=0 applied to it, along with several event handlers being attached which collapse or expand a particular element (many of these handlers suppressing normal behaviour). The "body" can be replaced with any CSS selector, including, for example "*", which will then have the effects apply to all elements matching the selector.

The source of this is presumably https://phabricator.wikimedia.org/source/mediawiki/browse/master/resources/src/jquery/jquery.makeCollapsible.js$246

(I don't think this bug matters much on its own, but I'm a bit concerned about what bugs this could be combined with to open up some worrisome possibilities. Sorry if this isn't the kind of thing that should be labelled a security issue, I'm not sure what the boundaries are.)

Details

SubjectRepoBranchLines +/-
SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectorsmediawiki/coremaster+1 -0
SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectorsmediawiki/coreREL1_33+1 -0
SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectorsmediawiki/coreREL1_34+1 -0
SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectorsmediawiki/coreREL1_31+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Yair_rand created this task.Mar 2 2020, 3:28 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2020, 3:28 AM
Aklapper added a project: MediaWiki-General.Mar 2 2020, 9:42 AM
matmarex subscribed.Mar 2 2020, 4:12 PM

Thanks for reporting this. You can use security issues for anything even slightly concerning that you don't want to make public.

Note that you need to use $wgFragmentMode = [ 'html5', 'legacy' ]; (or similar) to reproduce this, by default MediaWiki escapes ID attributes in a manner that breaks this. We use this config on Wikimedia sites though.

I don't think this can result in anything really scary like an XSS problem. It allows the content of the page to affect the MediaWiki interface, which is bad since it can often interfere with the admins' ability to revert the edit or delete the page, but in this case I couldn't find a way to do anything other than make clicks anywhere on the page hide/show a part of the content. We just got lucky though.

Potential fix is to use $.escapeSelector:

0001-jquery.makeCollapsible-Escape-user-generated-CSS-sel.patch1 KBDownload

chasemp assigned this task to sbassett.Mar 2 2020, 4:36 PM
chasemp triaged this task as Low priority.
chasemp moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a comment.Mar 2 2020, 10:50 PM
In T246602#5933105, @matmarex wrote:

Note that you need to use $wgFragmentMode = [ 'html5', 'legacy' ]; (or similar) to reproduce this, by default MediaWiki escapes ID attributes in a manner that breaks this. We use this config on Wikimedia sites though.

It wasn't immediately clear to me, but the order of the array values appears to matter. When $wgFragmentMode is set to [ 'legacy', 'html5' ] (its default), it defangs the bad id whereas setting it to [ 'html5', 'legacy' ] or [ 'html5' ] does not.

I don't think this can result in anything really scary like an XSS problem. It allows the content of the page to affect the MediaWiki interface, which is bad since it can often interfere with the admins' ability to revert the edit or delete the page, but in this case I couldn't find a way to do anything other than make clicks anywhere on the page hide/show a part of the content. We just got lucky though.

Potential fix is to use $.escapeSelector:

0001-jquery.makeCollapsible-Escape-user-generated-CSS-sel.patch1 KBDownload

I'd agree that this would likely be difficult to exploit in any serious way, though we did just have a different UI issue with security implications (T232932). Patch looks good and tests fine. I think I'm going to deploy it now during the remainder of the weekly security deployment window.

sbassett added a comment.Mar 2 2020, 11:21 PM

Deployed to wmf.21. Seems fine on testwiki.

sbassett added a parent task: T240393: Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1.Mar 2 2020, 11:25 PM
sbassett mentioned this in T240393: Tracking bug for MediaWiki 1.31.7/1.33.3/1.34.1.
Krinkle awarded a token.Mar 5 2020, 2:46 AM
Reedy closed this task as Resolved.Mar 24 2020, 5:13 PM
Reedy subscribed.

Patch applies cleanly to master, REL1_34, REL1_33 and REL1_31. Closing as release is coming this week

sbassett renamed this task from makeCollapsible allows applying event handler to any CSS selector to makeCollapsible allows applying event handler to any CSS selector (CVE-2020-10960).Mar 26 2020, 3:40 AM
sbassett mentioned this in T240399: Obtain CVEs for 1.31.7/1.33.3/1.34.1 security releases.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 26 2020, 5:42 PM
gerritbot added a comment.Mar 26 2020, 5:42 PM

Change 583697 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

https://gerrit.wikimedia.org/r/583697

gerritbot added a comment.Mar 26 2020, 5:46 PM

Change 583700 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

https://gerrit.wikimedia.org/r/583700

gerritbot added a comment.Mar 26 2020, 5:47 PM

Change 583703 merged by jenkins-bot:
[mediawiki/core@REL1_34] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

https://gerrit.wikimedia.org/r/583703

DannyS712 subscribed.Mar 26 2020, 5:52 PM
gerritbot added a comment.Mar 26 2020, 5:57 PM

Change 583708 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: jquery.makeCollapsible: Escape user-generated CSS selectors

https://gerrit.wikimedia.org/r/583708

Jdforrester-WMF added projects: MW-1.31-release-notes, MW-1.34-notes, MW-1.33-notes.Mar 27 2020, 5:33 PM
Jdforrester-WMF added a project: MW-1.35-notes (1.35.0-wmf.26; 2020-03-31).
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL