BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479)
Closed, ResolvedPublicSecurity
Actions

Description

CVE-2020-35478 - Potential XSS via MediaWiki:blanknamespace outputting Block Logs
CVE-2020-35479 - Potential XSS via the "month messages" such as MediaWiki:january through MediaWiki:december outputting Block Logs

While working on T216348 I have found issues with the BlockLogFormatter

First issue is about the message blanknamespace. it is used with Message::text

				$namespaces = $params[6]['namespaces'] ?? [];
				$namespaces = array_map( function ( $ns ) {
					$text = (int)$ns === NS_MAIN
						? $this->msg( 'blanknamespace' )->text()
						: $this->context->getLanguage()->getFormattedNsText( $ns );
					$params = [ 'namespace' => $ns ];

					return $this->makePageLink( SpecialPage::getTitleFor( 'Allpages' ), $params, $text );
				}, $namespaces );

But LogFormatter::makePageLink is documented to get html as third parameter. even in plaintext mode from LogFormatter.

Through that message it is possible to output raw html including script tags.

The second issue is with Language::translateBlockExpiry. The return value is included as raw param in the output without escaping.

			$durationTooltip = '&lrm;' . htmlspecialchars( $params[4] );
			$blockExpiry = $this->context->getLanguage()->translateBlockExpiry(
				$params[4],
				$this->context->getUser(),
				wfTimestamp( TS_UNIX, $this->entry->getTimestamp() )
			);
			if ( $this->plaintext ) {
				$params[4] = Message::rawParam( $blockExpiry );
			} else {
				$params[4] = Message::rawParam(
					"<span class=\"blockExpiry\" title=\"$durationTooltip\">" .
					$blockExpiry .
					'</span>'
				);
			}

Language::translateBlockExpiry itself does not escape all code path, for example the return of Language::userTimeAndDate, which is always unsafe for html.
Through the month messages it is possible to output raw html including script tags.

Taint-check found other places to check, but that looks like false positives to me:

13:49:09 includes/logging/BlockLogFormatter.php:98 SecurityCheck-XSS Calling method \Message::rawParams() in \BlockLogFormatter::getMessageParameters that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/BlockLogFormatter.php +82) (Param is raw)
13:49:09 includes/logging/BlockLogFormatter.php:104 SecurityCheck-XSS Calling method \Message::rawParams() in \BlockLogFormatter::getMessageParameters that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/BlockLogFormatter.php +87) (Param is raw)

LogFormatter has a plaintext mode and a normal mode and that confused taint-check

Details

Subject	Repo	Branch	Lines +/-
Fixed mixed escaping in Language::translateBlockExpiry	mediawiki/core	REL1_31	+9 -8
Fixed mixed escaping in Language::translateBlockExpiry	mediawiki/core	REL1_35	+4 -4
Pass escaped html to LogFormatter::makePageLink for sanity	mediawiki/core	REL1_35	+2 -2
Pass escaped html to LogFormatter::makePageLink for sanity	mediawiki/core	REL1_31	+36 -0
Fixed mixed escaping in Language::translateBlockExpiry	mediawiki/core	master	+4 -4
Pass escaped html to LogFormatter::makePageLink for sanity	mediawiki/core	master	+2 -2

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Reedy	T263802 Release MediaWiki 1.31.11/1.35.1
Resolved		Reedy	T263803 Tracking bug for MediaWiki 1.31.11/1.35.1
Resolved	Security	Umherirrender	T268938 BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479)

Event Timeline

Umherirrender created this task.Nov 29 2020, 11:17 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 29 2020, 11:17 AM

Reedy added projects: MediaWiki-Blocks, MediaWiki-Logevents.Nov 29 2020, 4:59 PM

Reedy updated the task description. (Show Details)

Reedy triaged this task as High priority.Nov 30 2020, 4:24 PM

Reedy moved this task from Incoming to Watching on the Security-Team board.

Tchanders added a project: Anti-Harassment (The Letter Song).Dec 7 2020, 2:46 PM

Tchanders added subscribers: dmaza, STran, • Niharika.

Tchanders moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Code Review 🔍 on the Anti-Harassment (The Letter Song) board.Dec 7 2020, 4:13 PM

First part fixed with https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646684

Second part fixed with https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646689

Could be public after the next train

Jdforrester-WMF added a project: MW-1.36-notes (1.36.0-wmf.21; 2020-12-08).Dec 7 2020, 5:21 PM

sbassett added a parent task: T263803: Tracking bug for MediaWiki 1.31.11/1.35.1.Dec 7 2020, 5:24 PM

We'll keep an eye on this, but looks like there's nothing for Anti-Harassment to do, thanks to @Umherirrender, @DannyS712 and @Jdforrester-WMF sorting it quickly!

Reedy mentioned this in T263803: Tracking bug for MediaWiki 1.31.11/1.35.1.Dec 15 2020, 1:28 PM

Reedy added a subscriber: gerritbot.

Change 649521 had a related patch set uploaded (by Reedy; owner: Umherirrender):
[mediawiki/core@REL1_35] Pass escaped html to LogFormatter::makePageLink for sanity

https://gerrit.wikimedia.org/r/649521

Change 649522 had a related patch set uploaded (by Reedy; owner: Umherirrender):
[mediawiki/core@REL1_31] Pass escaped html to LogFormatter::makePageLink for sanity

https://gerrit.wikimedia.org/r/649522

Change 649522 abandoned by Reedy:
[mediawiki/core@REL1_31] Pass escaped html to LogFormatter::makePageLink for sanity

Reason:

https://gerrit.wikimedia.org/r/649522

Change 649523 had a related patch set uploaded (by Reedy; owner: Umherirrender):
[mediawiki/core@REL1_35] Fixed mixed escaping in Language::translateBlockExpiry

https://gerrit.wikimedia.org/r/649523

Change 649524 had a related patch set uploaded (by Reedy; owner: Umherirrender):
[mediawiki/core@REL1_31] Fixed mixed escaping in Language::translateBlockExpiry

https://gerrit.wikimedia.org/r/649524

Change 649524 abandoned by Reedy:
[mediawiki/core@REL1_31] Fixed mixed escaping in Language::translateBlockExpiry

Reason:

https://gerrit.wikimedia.org/r/649524

Looks like the first patch (https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646684) isn't relevant for REL1_31, or code has been moved around/refactored (ie it needs patching elsewhere)...

And for https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646689, at least for BlockLogFormatter.php, again, the same? What about the two trim() calls in Language? They seem a bit superfluous by themselves

At least some of the touched code is from 1.33.0+ in rMW31ba7a3e5c6f: Fix malformed output of block logs... And then various supporting changes from before that

Thoughts?

Change 649521 merged by jenkins-bot:
[mediawiki/core@REL1_35] Pass escaped html to LogFormatter::makePageLink for sanity

https://gerrit.wikimedia.org/r/649521

Change 649523 merged by jenkins-bot:
[mediawiki/core@REL1_35] Fixed mixed escaping in Language::translateBlockExpiry

https://gerrit.wikimedia.org/r/649523

Reedy mentioned this in T263809: Obtain CVEs for 1.31.11/1.35.1 security releases.Dec 15 2020, 2:03 PM

Reedy removed a project: Patch-For-Review.Dec 15 2020, 4:18 PM

Jdforrester-WMF added projects: MW-1.35-notes, MW-1.31-release-notes.Dec 15 2020, 4:35 PM

Change 649524 restored by Reedy:
[mediawiki/core@REL1_31] Fixed mixed escaping in Language::translateBlockExpiry

https://gerrit.wikimedia.org/r/649524

In T268938#6691979, @Reedy wrote:

Looks like the first patch (https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646684) isn't relevant for REL1_31, or code has been moved around/refactored (ie it needs patching elsewhere)...

And for https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646689, at least for BlockLogFormatter.php, again, the same? What about the two trim() calls in Language? They seem a bit superfluous by themselves

At least some of the touched code is from 1.33.0+ in rMW31ba7a3e5c6f: Fix malformed output of block logs... And then various supporting changes from before that

Thoughts?

Ok. So the first patch, ala https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646684 was not added till 1.33 in rMW85c91cfbf09d: Add namespace restrictions to block's log messages for T204985: Update block logs with namespace block details. I'm declaring that as not applicable for 1.31.

https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646689 goes ontop of rMW31ba7a3e5c6f: Fix malformed output of block logs for T208523: Blocks log entries display as malformed on Special:CheckUser, also last changed in 1.33. But that only added "plaintext" support. The code being fixed is still there though

Will bring it in, with the refactoring to move the translateBlockExpiry call also into a variable to keep the code similar. Not doing a full backport of that patch (rMW31ba7a3e5c6f: Fix malformed output of block logs), as I don't think it's particularly warranted

Need to get a CVE for this one

Change 649524 merged by jenkins-bot:
[mediawiki/core@REL1_31] Fixed mixed escaping in Language::translateBlockExpiry

https://gerrit.wikimedia.org/r/649524

This needed two different CVE, because two different CVEs.

Might need to do some upstream tweaking post release.

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2020, 12:24 AM

Reedy changed the edit policy from "Custom Policy" to "All Users".

sbassett added a project: Vuln-XSS.Mar 16 2021, 9:30 PM

Zabe merged a task: T250612: Language::translateBlockExpiry escapes HTML inconsistently.Jun 24 2021, 11:57 AM

Zabe added a subscriber: Daimona.

sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Jun 24 2021, 6:11 PM

BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479)Closed, ResolvedPublicSecurityActions

Description

Details

Related ObjectsSearch...

Event Timeline

BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479)
Closed, ResolvedPublicSecurity
Actions

Related Objects
Search...