Page MenuHomePhabricator
Create Task
Maniphest T255918

Unescaped message used in HTML on Special:Contributions (CVE-2020-25812)
Closed, ResolvedPublicSecurity
Actions

Description

On Special:Contributions, the NS filter uses unescaped messages as keys in the 'option' key for an HTMLForm specifier (source):

$fields['nsFilters'] = [
	// ...
	'options' => [
		$this->msg( 'invert' )->text() => 'nsInvert',
		$this->msg( 'namespace_association' )->text() => 'associated',
	],

This is vulnerable to a mild XSS in case one of those messages is changed to include raw HTML.

The issue was spotted by taint-check.

Details

SubjectRepoBranchLines +/-
SECURITY: Escape messages used as keys on Special:Contributionsmediawiki/coreREL1_35+5 -3
SECURITY: Escape messages used as keys on Special:Contributionsmediawiki/coremaster+3 -3
SECURITY: Escape messages used as keys on Special:Contributionsmediawiki/coreREL1_34+5 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Daimona created this task.Jun 20 2020, 3:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 20 2020, 3:28 PM
Daimona added a project: Vuln-XSS.Jun 20 2020, 3:29 PM
Daimona added a parent task: T2212: Some MediaWiki: messages not safe in HTML (tracking).
Aklapper added a project: MediaWiki-Special-pages.Jun 20 2020, 4:27 PM
sbassett moved this task from Incoming to Back Orders on the Security-Team board.Jun 22 2020, 3:13 PM
sbassett subscribed.Jun 22 2020, 3:51 PM

s/text/escaped/ ?

Daimona added a comment.Jun 22 2020, 4:12 PM
In T255918#6245034, @sbassett wrote:

s/text/escaped/ ?

Yeah, that seems the "right thing to do"™.

sbassett added a comment.Jun 22 2020, 9:19 PM

Should probably security-deploy sometime soon as opposed to gerrit, just to be safe. Special page tests pass but I'm not sure if it might upset anything in production.

From 376cfd4aa749d337067982353ab334a139cf3b8e Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Mon, 22 Jun 2020 16:16:15 -0500
Subject: [PATCH] Escape messages used as keys on Special:Contributions

Use escaped() instead of text() for message options keys

Bug: T255918
---
 includes/specials/SpecialContributions.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php
index 1a6d04f30d..eeee786123 100644
--- a/includes/specials/SpecialContributions.php
+++ b/includes/specials/SpecialContributions.php
@@ -590,8 +590,8 @@ class SpecialContributions extends IncludableSpecialPage {
            // See resources/src/mediawiki.special.recentchanges.js
            'infusable' => true,
            'options' => [
-               $this->msg( 'invert' )->text() => 'nsInvert',
-               $this->msg( 'namespace_association' )->text() => 'associated',
+               $this->msg( 'invert' )->escaped() => 'nsInvert',
+               $this->msg( 'namespace_association' )->escaped() => 'associated',
            ],  
            'default' => $nsFilters,
            'section' => 'contribs-top',
-- 
2.22.0
sbassett moved this task from Back Orders to In Progress on the Security-Team board.Jun 22 2020, 9:20 PM
sbassett added a project: user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
Daimona added a comment.Jun 23 2020, 10:32 AM
In T255918#6246544, @sbassett wrote:

Should probably security-deploy sometime soon as opposed to gerrit, just to be safe. Special page tests pass but I'm not sure if it might upset anything in production.

Let's try and see if something explodes? :-)

Jokes aside, I tried grepping those messages on codesearch and they're always used with ->text(), so they're not meant to contain any HTML, so nothing should break.

As for the patch, there's a cleaner alternative: using options-messages instead of options (see example here), as it already escapes stuff. I thought it would only work for values, but in fact it works for keys.

On a related note, LogEventsList has the same problem, see here:

private function getFiltersDesc( $filter ) {
	foreach ( $filter as $type => $val ) {
		// ...
		$options[ $message->text() ] = $type; // Line 214
	}
	return [
		// ...
		'options' => $options,
	];
}

Shall I open a new task for that, or do you want to include this fix in the same patch? For LogEventsList, options-messages cannot be used, so the fix is s/text/escaped/ at line 214.

sbassett added a comment.EditedJun 23 2020, 7:34 PM
In T255918#6247910, @Daimona wrote:

Jokes aside, I tried grepping those messages on codesearch and they're always used with ->text(), so they're not meant to contain any HTML, so nothing should break.

As for the patch, there's a cleaner alternative: using options-messages instead of options (see example here), as it already escapes stuff. I thought it would only work for values, but in fact it works for keys.

Sounds good. Here's an updated version of the patch, which I can try to deploy during next week's (2020-06-29) security window:

From 624dc78883a117963fec1aa996fb374b36441323 Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Mon, 22 Jun 2020 16:16:15 -0500
Subject: [PATCH] Escape messages used as keys on Special:Contributions

Use options-messages instead of text() for message-based options keys

Bug: T255918
---
 includes/specials/SpecialContributions.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/includes/specials/SpecialContributions.php b/includes/specials/SpecialContributions.php
index 1a6d04f30d..22da6b7c8d 100644
--- a/includes/specials/SpecialContributions.php
+++ b/includes/specials/SpecialContributions.php
@@ -589,9 +589,9 @@ class SpecialContributions extends IncludableSpecialPage {
            // `contribs-ns-filters` class allows these fields to be toggled on/off by JavaScript.
            // See resources/src/mediawiki.special.recentchanges.js
            'infusable' => true,
-           'options' => [
-               $this->msg( 'invert' )->text() => 'nsInvert',
-               $this->msg( 'namespace_association' )->text() => 'associated',
+           'options-messages' => [
+               'invert' => 'nsInvert',
+               'namespace_association' => 'associated',
            ],  
            'default' => $nsFilters,
            'section' => 'contribs-top',
-- 
2.22.0

Shall I open a new task for that, or do you want to include this fix in the same patch? For LogEventsList, options-messages cannot be used, so the fix is s/text/escaped/ at line 214.

Yeah, let's file a new bug.

Update: filed as T256171.

sbassett triaged this task as Medium priority.Jun 23 2020, 7:35 PM
sbassett mentioned this in T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815).Jun 23 2020, 7:39 PM
sbassett added a project: Patch-For-Review.Jun 23 2020, 7:47 PM
Daimona added a comment.Jun 24 2020, 9:21 AM
In T255918#6249760, @sbassett wrote:

Sounds good. Here's an updated version of the patch, which I can try to deploy during next week's (2020-06-29) security window:
[snip]

Tested it, works fine. Approved, please go ahead and deploy whenever you wish.

sbassett removed a project: Patch-For-Review.Jun 24 2020, 8:56 PM
sbassett claimed this task.Jun 29 2020, 3:38 PM
sbassett added a comment.EditedJun 29 2020, 10:02 PM

Deployed. Holding for next security release.

sbassett added a parent task: T256335: Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0.Jun 29 2020, 10:55 PM
sbassett moved this task from In Progress to Waiting on the Security-Team board.Jun 29 2020, 10:58 PM
sbassett moved this task from In Progress to Done on the user-sbassett board.
sbassett removed a project: user-sbassett.Aug 3 2020, 9:01 PM
Reedy mentioned this in T256335: Tracking bug for MediaWiki 1.31.9/1.34.3/1.35.0.Sep 7 2020, 10:28 PM
Reedy subscribed.Sep 21 2020, 11:21 PM

Looks like this isn't needed for REL1_31 - rMW2bb8515286da: Make Special:Contributions use OOUI added it, which is only in REL1_34

Reedy closed this task as Resolved.Sep 21 2020, 11:36 PM

Resolving for ease of tracking in parent

Reedy mentioned this in T256341: Obtain CVEs for 1.31.9/1.34.3/1.35.0 security releases.Sep 22 2020, 9:41 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 24 2020, 11:14 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Legoktm renamed this task from Unescaped message used in HTML on Special:Contributions to Unescaped message used in HTML on Special:Contributions (CVE-2020-25812).Sep 27 2020, 11:51 AM
Grunny mentioned this in T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles.Mar 20 2021, 3:59 PM
Grunny mentioned this in T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist).Mar 21 2021, 6:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL