Page MenuHomePhabricator
Create Task
Maniphest T268894

Message recentchanges-legend-watchlistexpiry can contain raw html (CVE-2020-35474)
Closed, ResolvedPublicSecurity
Actions

Description

While working on T216348 I have found an issue with message recentchanges-legend-watchlistexpiry

Added with https://gerrit.wikimedia.org/r/c/mediawiki/core/+/596540/21/includes/specialpage/ChangesListSpecialPage.php

			$legend .= Html::rawElement(
				'dd',
				[ 'class' => 'mw-changeslist-legend-watchlistexpiry', 'id' => $watchlistLabelId ],
				$context->msg( 'recentchanges-legend-watchlistexpiry' )->text()
			);

The combination of Html::rawElement and Message::text leads to XSS leaks

The message was added with 1.35 and is behind a feature flag ($wgWatchlistExpiry)

Should use Html::element or Message::parse/Message::escaped, not sure.

Details

SubjectRepoBranchLines +/-
Use Html::element in ChangeListSpecialPage for sanitymediawiki/coreREL1_35+1 -1
Use Html::element in ChangeListSpecialPage for sanitymediawiki/coreREL1_31+26 -0
Use Html::element in ChangeListSpecialPage for sanitymediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Umherirrender created this task.Nov 27 2020, 7:03 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 27 2020, 7:03 PM
Daimona added a project: Vuln-XSS.Nov 27 2020, 10:56 PM
Aklapper added a project: Expiring-Watchlist-Items.Nov 28 2020, 2:56 PM
Restricted Application added a project: Community-Tech. · View Herald TranscriptNov 28 2020, 2:56 PM
sbassett triaged this task as High priority.Nov 30 2020, 4:23 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.EditedNov 30 2020, 4:52 PM

Should use Html::element or Message::parse/Message::escaped, not sure.

->escaped() is probably the easier fix. Also, IMO this should be low-risk enough (given the current messages) that it could be done publicly through gerrit with a benign commit message signaling that it's code-hardening.

sbassett mentioned this in T268917: Messages userrights-expiry-current and userrights-expiry-none can contain raw html (CVE-2020-35475).Nov 30 2020, 4:55 PM
Umherirrender claimed this task.Dec 7 2020, 4:51 PM

Fixed with https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646676

Could be public from my point of view

sbassett added a comment.Dec 7 2020, 4:58 PM
In T268894#6673740, @Umherirrender wrote:

Could be public from my point of view

Similar to T268917, let's wait for the train deployments this week and then make this task public.

sbassett added a parent task: T263803: Tracking bug for MediaWiki 1.31.11/1.35.1.Dec 7 2020, 5:07 PM
Jdforrester-WMF added a project: MW-1.36-notes (1.36.0-wmf.21; 2020-12-08).Dec 7 2020, 5:21 PM
Reedy added a subscriber: gerritbot.Dec 15 2020, 1:10 PM
gerritbot added a comment.Dec 15 2020, 1:22 PM

Change 649517 merged by jenkins-bot:
[mediawiki/core@REL1_35] Use Html::element in ChangeListSpecialPage for sanity

https://gerrit.wikimedia.org/r/649517

Reedy closed this task as Resolved.Dec 15 2020, 1:23 PM
Reedy subscribed.

Closing for ease of tracking. Can/will be made public later

Reedy mentioned this in T263803: Tracking bug for MediaWiki 1.31.11/1.35.1.Dec 15 2020, 1:24 PM
Reedy mentioned this in T263809: Obtain CVEs for 1.31.11/1.35.1 security releases.Dec 15 2020, 2:03 PM
Jdforrester-WMF added projects: MW-1.31-release-notes, MW-1.35-notes.Dec 15 2020, 4:36 PM
Reedy renamed this task from Message recentchanges-legend-watchlistexpiry can contain raw html to Message recentchanges-legend-watchlistexpiry can contain raw html (CVE-2020-35474).Dec 16 2020, 12:35 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2020, 12:24 AM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits