Page MenuHomePhabricator

Message recentchanges-legend-watchlistexpiry can contain raw html (CVE-2020-35474)
Closed, ResolvedPublicSecurity

Description

While working on T216348 I have found an issue with message recentchanges-legend-watchlistexpiry

Added with https://gerrit.wikimedia.org/r/c/mediawiki/core/+/596540/21/includes/specialpage/ChangesListSpecialPage.php

			$legend .= Html::rawElement(
				'dd',
				[ 'class' => 'mw-changeslist-legend-watchlistexpiry', 'id' => $watchlistLabelId ],
				$context->msg( 'recentchanges-legend-watchlistexpiry' )->text()
			);

The combination of Html::rawElement and Message::text leads to XSS leaks

The message was added with 1.35 and is behind a feature flag ($wgWatchlistExpiry)

Should use Html::element or Message::parse/Message::escaped, not sure.

Event Timeline

sbassett moved this task from Incoming to Watching on the Security-Team board.

Should use Html::element or Message::parse/Message::escaped, not sure.

->escaped() is probably the easier fix. Also, IMO this should be low-risk enough (given the current messages) that it could be done publicly through gerrit with a benign commit message signaling that it's code-hardening.

Could be public from my point of view

Similar to T268917, let's wait for the train deployments this week and then make this task public.

Change 649517 merged by jenkins-bot:
[mediawiki/core@REL1_35] Use Html::element in ChangeListSpecialPage for sanity

https://gerrit.wikimedia.org/r/649517

Reedy added a subscriber: Reedy.

Closing for ease of tracking. Can/will be made public later

Reedy renamed this task from Message recentchanges-legend-watchlistexpiry can contain raw html to Message recentchanges-legend-watchlistexpiry can contain raw html (CVE-2020-35474).Dec 16 2020, 12:35 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2020, 12:24 AM
Reedy changed the edit policy from "Custom Policy" to "All Users".