The contributions-title, used on Special:Contributions, is used as page title without escaping. Hence, if a username contains HTML entities (not possible by default, T308465), it won't be escaped.
Description
Details
- Risk Rating
- Low
- Author Affiliation
- WMF Product
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Reedy | T305199 Release MediaWiki 1.35.7/1.37.3/1.38.2 | |||
Resolved | Reedy | T305200 Tracking bug for MediaWiki 1.35.7/1.37.3/1.38.2 | |||
Open | None | T2212 Some MediaWiki: messages not safe in HTML (tracking) | |||
Resolved | Security | sbassett | T308473 CVE-2022-34912: Username not escaped in the contributions-title message |
Event Timeline
@Daimona will you be able to create a patch to escape the HTML? For guidance please check out steps 2, 3, and 4 in the mediawiki documentation
Untested patch that should fix this issue, unless it garbles usernames in some way. But it shouldn't. This is likely low risk enough to just go through gerrit, as similar patches have before (T2212).
Change 807225 had a related patch set uploaded (by SBassett; author: SBassett):
[mediawiki/core@master] SECURITY: Escape contributions-title msg for use within page title
Change 807225 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Escape contributions-title msg for use within page title
Change 807164 had a related patch set uploaded (by SBassett; author: SBassett):
[mediawiki/core@REL1_38] SECURITY: Escape contributions-title msg for use within page title
Change 807165 had a related patch set uploaded (by SBassett; author: SBassett):
[mediawiki/core@REL1_37] SECURITY: Escape contributions-title msg for use within page title
Change 807165 merged by jenkins-bot:
[mediawiki/core@REL1_37] SECURITY: Escape contributions-title msg for use within page title
Change 807164 merged by jenkins-bot:
[mediawiki/core@REL1_38] SECURITY: Escape contributions-title msg for use within page title