Page MenuHomePhabricator
Create Task
Maniphest T308465

Cannot create user "<script>alert(1)" even if adding < and > to $wgLegalTitleChars
Closed, ResolvedPublic
Actions

Description

I want to do evil things on my local, and I'd like to create an account with an XSS attempt in its name: <script>alert(1). By default this is not possible, because < and > are invalid in titles [1]. So I added them to $wgLegalTitleChars and tried again, but I'm getting the following uncaught error:

UnexpectedValueException: ID for "<script>alert(1)" was 0, expected 84

from AuthManager::beginAuthentication().

This does not happen if I e.g. remove the ">". This should be fixed, by either forbidding < and > in usernames if they cause issues (and thus showing an adequate error message), or by making them work correctly.

[1] - As a side note, mw.org says that these characters "cause problems with HTML escaping". You kiddin'? Those "problems" (a.k.a. insufficient escaping and vulnerable code) shouldn't exist in the first place, regardless of allowed characters in titles.

Details

SubjectRepoBranchLines +/-
user: Add > to $wgInvalidUsernameCharacters, used by ExternalUserNamesmediawiki/coremaster+5 -3
Customize query in gerrit

Related Objects

Event Timeline

Daimona created this task.May 16 2022, 5:38 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 16 2022, 5:38 PM
Daimona added a comment.May 16 2022, 5:44 PM

Oh, I see, > is reserved for external user names. Thus, as per the task description, the solution should be to forbid > in usernames and show an adequate error message.

Daimona mentioned this in T308471: CVE-2022-34911: Username is not escaped in the "welcomeuser" message.May 16 2022, 5:50 PM
Daimona mentioned this in T308473: CVE-2022-34912: Username not escaped in the contributions-title message.May 16 2022, 5:53 PM
Umherirrender added a project: MediaWiki-User-management.May 16 2022, 6:38 PM
Umherirrender claimed this task.May 23 2022, 8:10 PM
Umherirrender triaged this task as Low priority.
gerritbot added a comment.May 23 2022, 8:11 PM

Change 797478 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/core@master] user: Add > to $wgInvalidUsernameCharacters, used by ExternalUserNames

https://gerrit.wikimedia.org/r/797478

gerritbot added a project: Patch-For-Review.May 23 2022, 8:11 PM
gerritbot added a comment.May 23 2022, 8:51 PM

Change 797478 merged by jenkins-bot:

[mediawiki/core@master] user: Add > to $wgInvalidUsernameCharacters, used by ExternalUserNames

https://gerrit.wikimedia.org/r/797478

Umherirrender closed this task as Resolved.May 23 2022, 8:59 PM
Umherirrender removed a project: Patch-For-Review.
ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.13; 2022-05-23).May 23 2022, 9:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits