CVE-2020-35478 - Potential XSS via MediaWiki:blanknamespace outputting Block Logs
CVE-2020-35479 - Potential XSS via the "month messages" such as MediaWiki:january through MediaWiki:december outputting Block Logs
While working on T216348 I have found issues with the BlockLogFormatter
First issue is about the message blanknamespace. it is used with Message::text
$namespaces = $params[6]['namespaces'] ?? []; $namespaces = array_map( function ( $ns ) { $text = (int)$ns === NS_MAIN ? $this->msg( 'blanknamespace' )->text() : $this->context->getLanguage()->getFormattedNsText( $ns ); $params = [ 'namespace' => $ns ]; return $this->makePageLink( SpecialPage::getTitleFor( 'Allpages' ), $params, $text ); }, $namespaces );
But LogFormatter::makePageLink is documented to get html as third parameter. even in plaintext mode from LogFormatter.
Through that message it is possible to output raw html including script tags.
The second issue is with Language::translateBlockExpiry. The return value is included as raw param in the output without escaping.
$durationTooltip = '‎' . htmlspecialchars( $params[4] ); $blockExpiry = $this->context->getLanguage()->translateBlockExpiry( $params[4], $this->context->getUser(), wfTimestamp( TS_UNIX, $this->entry->getTimestamp() ) ); if ( $this->plaintext ) { $params[4] = Message::rawParam( $blockExpiry ); } else { $params[4] = Message::rawParam( "<span class=\"blockExpiry\" title=\"$durationTooltip\">" . $blockExpiry . '</span>' ); }
Language::translateBlockExpiry itself does not escape all code path, for example the return of Language::userTimeAndDate, which is always unsafe for html.
Through the month messages it is possible to output raw html including script tags.
Taint-check found other places to check, but that looks like false positives to me:
13:49:09 includes/logging/BlockLogFormatter.php:98 SecurityCheck-XSS Calling method \Message::rawParams() in \BlockLogFormatter::getMessageParameters that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/BlockLogFormatter.php +82) (Param is raw) 13:49:09 includes/logging/BlockLogFormatter.php:104 SecurityCheck-XSS Calling method \Message::rawParams() in \BlockLogFormatter::getMessageParameters that outputs using tainted argument $[arg #1]. (Caused by: Builtin-\Message::rawParams) (Caused by: includes/logging/BlockLogFormatter.php +87) (Param is raw)
LogFormatter has a plaintext mode and a normal mode and that confused taint-check