Page MenuHomePhabricator
Create Task
Maniphest T268341

Possible XSS in SpecialGlobalUsage (CVE-2020-35622)
Closed, ResolvedPublicSecurity
Actions

Description

Seen while upgrading taint-check in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GlobalUsage/+/642262:

SpecialGlobalUsage.php line 178
// @var GlobalUsageQuery $query
foreach ( $query->getSingleImageResult() as $wiki => $result ) {
	// ...
	foreach ( $result as $item ) {
		$out->addHtml( "\t<li>" . self::formatItem( $item ) . "</li>\n" );
	}

$query->getSingleImageResult() returns an array of database fields, including page titles. Then we have

public static function formatItem( $item ) {
	if ( !$item['namespace'] ) {
		$page = $item['title'];
	} else {
		$page = "{$item['namespace']}:{$item['title']}";
	}

	$link = WikiMap::makeForeignLink( $item['wiki'], $page,
		str_replace( '_', ' ', $page ) );
	// Return only the title if no link can be constructed
	return $link === false ? $page : $link;
}

So if the page cannot be found (which I guess is a possibility?), it will echo the DB fields verbatim. In theory, this should be safe thanks to $wgLegalTitleChars, but it's still outputting user-controlled data.

The fix is as simple as escaping $page, so formatItem() will always return an escaped value. I'm creating this task as security-protected just in case, but I guess it can also be made public; leaving this up to the Security Team.

Details

SubjectRepoBranchLines +/-
Pass escaped html to WikiMap::makeForeignLink for sanitymediawiki/extensions/GlobalUsageREL1_31+2 -2
Pass escaped html to WikiMap::makeForeignLink for sanitymediawiki/extensions/GlobalUsageREL1_35+2 -2
Pass escaped html to WikiMap::makeForeignLink for sanitymediawiki/extensions/GlobalUsagemaster+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.Nov 20 2020, 2:51 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2020, 2:51 PM
Daimona added a project: GlobalUsage.Nov 20 2020, 2:51 PM
Daimona added a subscriber: Umherirrender.Nov 20 2020, 4:30 PM
Reedy added a project: Vuln-XSS.Nov 20 2020, 5:39 PM
sbassett triaged this task as Medium priority.Nov 23 2020, 4:09 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.
DannyS712 subscribed.Nov 23 2020, 5:14 PM
Umherirrender claimed this task.EditedDec 7 2020, 4:23 PM

Fixed with https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GlobalUsage/+/646744

Could be public from my point of view

sbassett added a comment.Dec 7 2020, 5:04 PM
In T268341#6673600, @Umherirrender wrote:

Could be public from my point of view

Similar to T268917, let's wait for the train deployments this week and then make this task public.

Jdforrester-WMF added a project: MW-1.36-notes (1.36.0-wmf.21; 2020-12-08).Dec 7 2020, 5:21 PM
sbassett mentioned this in T263810: Write and send supplementary release announcement for extensions and skins with security patches (1.31.11/1.35.1).Dec 7 2020, 10:01 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 21 2020, 8:39 PM
sbassett renamed this task from Possible XSS in SpecialGlobalUsage to Possible XSS in SpecialGlobalUsage (CVE-2020-35622).Dec 22 2020, 8:50 PM
gerritbot added a comment.Dec 22 2020, 9:23 PM

Change 651589 had a related patch set uploaded (by SBassett; owner: Umherirrender):
[mediawiki/extensions/GlobalUsage@REL1_35] Pass escaped html to WikiMap::makeForeignLink for sanity

https://gerrit.wikimedia.org/r/651589

gerritbot added a comment.Dec 22 2020, 9:23 PM

Change 651590 had a related patch set uploaded (by SBassett; owner: Umherirrender):
[mediawiki/extensions/GlobalUsage@REL1_31] Pass escaped html to WikiMap::makeForeignLink for sanity

https://gerrit.wikimedia.org/r/651590

gerritbot added a comment.Dec 22 2020, 9:39 PM

Change 651589 merged by jenkins-bot:
[mediawiki/extensions/GlobalUsage@REL1_35] Pass escaped html to WikiMap::makeForeignLink for sanity

https://gerrit.wikimedia.org/r/651589

gerritbot added a comment.Dec 22 2020, 10:50 PM

Change 651590 merged by jenkins-bot:
[mediawiki/extensions/GlobalUsage@REL1_31] Pass escaped html to WikiMap::makeForeignLink for sanity

https://gerrit.wikimedia.org/r/651590

DannyS712 added a comment.Dec 22 2020, 11:51 PM

Can this be resolved?

Reedy closed this task as Resolved.Dec 22 2020, 11:54 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Dec 23 2020, 3:59 PM
Ammarpad mentioned this in T274063: "&" in page names displayed as "&amp;" by GlobalUsage.May 18 2021, 11:18 AM
Ammarpad subscribed.May 18 2021, 11:25 AM

Caused T274063.

So if the page cannot be found

While it's good to be preemptive, there are already checks to ensure the file exists before constructing the links (this includes querying the database).

Daimona added a comment.May 18 2021, 12:00 PM

Checking this again, I'm not sure that the fix is correct. If WikiMap::makeForeignLink returns false, then we should indeed escape $page before returning it. However, it should not be escaped when passed to makeForeignLink, since then it ends up being passed to Linker::makeExternalLink which escapes $text, which explains the double escape.

Zabe subscribed.May 18 2021, 12:00 PM
sbassett added a comment.EditedMay 18 2021, 2:57 PM

@Daimona - so looking at the gerrit change set, we'd just need to remove that first htmlspecialchars in your opinion? Basically change this:

$link = WikiMap::makeForeignLink( $item['wiki'], $page,
str_replace( '_', ' ', htmlspecialchars( $page ) ) );
// Return only the title if no link can be constructed
return $link === false ? htmlspecialchars( $page ) : $link;

to:

$link = WikiMap::makeForeignLink( $item['wiki'], $page,
str_replace( '_', ' ', $page ) );
// Return only the title if no link can be constructed
return $link === false ? htmlspecialchars( $page ) : $link;

Also - if we don't really need that underscore faux-normalization, then we shouldn't need the third arg at all, per the docblock:

@param string|null $text Link's text; optional, default to $page

I'll try to get a patch up soon for review. Never mind, I see there's already a patch up on the other bug: https://gerrit.wikimedia.org/r/692590

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL