XSS in MediaWiki API (through invalid property name)
Closed, ResolvedPublic

Details

Reference
bz28534
bzimport set Reference to bz28534.
bzimport created this task.Apr 14 2011, 9:51 AM

Please tell me this is the last one.

This has been fixed in 1.16.4, I think. Tim, could you close it, if so?

No, it's not fixed.

One possibility is

/\.[^\\/:\*\?\"<>|]+(#|\?|$)/i

This was suggested by Reedy based on the characters that are not allowed in Windows paths. I'm wondering if it's a good idea to allow the percent symbol:

/\.[^\\/:\*\?\"<>|%]+(#|\?|$)/i

This would make it less likely that innocuous plain text at the end of a query string would be disallowed, in URLs such as:

http://www.mediawiki.org/w/api.php?action=parse&text=Sentence%20one.%20Sentence%20two

In theory, file extensions can contain percent symbols, but in practice this doesn't seem to be done.

(In reply to comment #4)

In theory, file extensions can contain percent symbols, but in practice this
doesn't seem to be done.

Allowing it sounds safe enough. The percent sign being a very obscure character in extensions makes it very unlikely it would be associated with a dangerous MIME type.

marking fixed 1.16.5 was pushed the other day.

brion added a comment.Jun 7 2011, 6:13 PM

Fixes are in r85844 and following; there are still serious outstanding bugs in 1.16.x & 1.17 beta releases caused by the fix series.

Latest updates on r89397 and r89558 may help reduce the false positives, but probably needs a quick test survey to confirm that things are ok.

It looks like Tim has been doing most of the work on this to fix the problem, updating the assignee to reflect that. Looks like the this is actually fixed, too, since the fixes mentioned Comment #7 have been merged.

I'm sure you know how to reopen this if I'm wrong ;)

csteipp added a subscriber: csteipp.

Add Comment