Page MenuHomePhabricator

Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement (CVE-2020-27620)
Closed, ResolvedPublicSecurity

Description

The Cosmos skin calls Html::rawElement() many times, and also calls wfMessage(). However, some wfMessage calls are not properly escaped, so this allows XSS injection. There are many cases of this happening, and all of these need to be properly audited...

In CosmosSocialProfile::getUserGroups() ( Lines 44 and Line 58, https://github.com/wikimedia/mediawiki-skins-Cosmos/blob/master/includes/CosmosSocialProfile.php#L44-L58 ):

$usertags = Html::rawElement( 'span', [ 'class' => 'tag tag-blocked' ], wfMessage( 'cosmos-user-blocked' ) );
$usertags .= Html::rawElement( 'span', [ 'class' => 'tag tag-' . Sanitizer::escapeClass( $value ) ], ucfirst( wfMessage( 'group-' . $value . '-member' ) ) );

There are many i18n message calls calls in CosmosTemplate, but most of them are either passed through Sanitizer::escapeIdForAttribute() or use the text as the output mode (->text()). These seem to be the only two cases of security issues.

Codesearch query: https://codesearch.wmcloud.org/skins/?q=(wfMessage%7C%5C%24this-%3EgetMsg)&i=nope&files=&repos=Skin:Cosmos

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 14 2020, 1:33 AM

Hi everyone, I hope this is fine. It's not to rush anyone, its just this is a matter of being a security issue (albeit, not a repository that's deployed on Wikimedia). Does the patch above look OK? I received an OK from Universal Omega on Discord, and I would like to receive at least one more OK so I can push this to master branch and backport it to the other branches as well. Also CC'ing @DannyS712, since Urbanecm added them as a subscriber.

Adding @alistair3149 as a subscriber, as they recently joined the developer team for the Cosmos skin.

SamanthaNguyen moved this task from In Progress to Blocked on the Cosmos board.Oct 17 2020, 3:31 PM
SamanthaNguyen triaged this task as High priority.Oct 17 2020, 4:17 PM
SamanthaNguyen moved this task from Blocked to Done on the Cosmos board.

Not sure whether I should make this task as resolved and public, but it's done on our side now, so moving on the Cosmos workboard.

@SamanthaNguyen - I'm not seeing anything on the task that would necessitate this remaining private, so we can make it public if you'd like, just let us know (if you don't have permissions to do so). Also, we can track this at T263810 for increased visibility if you'd like.

@sbassett Hi! Yes please, I tried looking but I don't see any UI button on my screen to make this task public. Thank you! I don't have access to T263810, but I'm guessing that it would be related to this task then?

sbassett closed this task as Resolved.Oct 19 2020, 5:09 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

@SamanthaNguyen - Ok, I've resolved this task and made it public. T263810 is just the tracking task for the quarterly-ish supplemental exts/skins announcement (recent example: https://lists.wikimedia.org/pipermail/wikitech-l/2020-September/093904.html). I subbed you to the task, but perhaps that's not enough to override the current security setting.

@sbassett Thanks for clearing that up. And yeah I'm not sure, it looks like I'm still not able to see the task unfortunately?

@sbassett Thanks for clearing that up. And yeah I'm not sure, it looks like I'm still not able to see the task unfortunately?

Hmm, we might not be able to add folks outside of acl*security_team then. Sorry about that. I am tracking this task there now and will likely request a CVE for this issue.

Okay that's fine, thank you anyways!

sbassett renamed this task from Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement to Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement (CVE-2020-27620).Oct 22 2020, 8:27 PM
RhinosF1 added a comment.EditedOct 22 2020, 9:03 PM

Thanks for getting the CVE sorted @sbassett