Page MenuHomePhabricator
Create Task
Maniphest T323104

Fix taint-check annotations for Message::rawParam
Closed, ResolvedPublic
Actions

Description

The method docblock has:

* @param-taint $raw html,raw_param

This should be updated to remove raw_param (removed in the last version of taint-check, doesn't do much in previous versions) and it should also have exec_html.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
phan: Suppress unlikely XSS warning from phan in LogFormattermediawiki/extensions/Renameusermaster+2 -0
phan: Suppress SecurityCheckMulti for AbstractRevision::setContentRawmediawiki/extensions/Flowmaster+1 -1
phan: Suppress unlikely XSS warning from phan in LogFormattermediawiki/extensions/GrowthExperimentsmaster+3 -0
phan: Suppress unlikely XSS warning from phan in LogFormattermediawiki/extensions/CentralAuthmaster+11 -7
Fix message escaping in LogFormattermediawiki/extensions/LegalLoginmaster+3 -3
Message::rawParam: Add novel 'exec_html' annotationmediawiki/coremaster+6 -1
Message::rawParam: Remove unused 'raw_param' annotationmediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Daimona created this task.Nov 15 2022, 11:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 15 2022, 11:25 AM
gerritbot added a comment.Nov 15 2022, 5:09 PM

Change 856505 had a related patch set uploaded (by SBassett; author: SBassett):

[mediawiki/core@master] Remove unused raw_param annotation, add exec_html annotaiton

https://gerrit.wikimedia.org/r/856505

gerritbot added a project: Patch-For-Review.Nov 15 2022, 5:09 PM
gerritbot added a comment.Nov 17 2022, 6:57 PM

Change 858399 had a related patch set uploaded (by Jforrester; author: SBassett):

[mediawiki/core@master] Message::rawParam: Remove unused 'raw_param' annotation

https://gerrit.wikimedia.org/r/858399

gerritbot added a comment.Nov 17 2022, 7:48 PM

Change 858399 merged by jenkins-bot:

[mediawiki/core@master] Message::rawParam: Remove unused 'raw_param' annotation

https://gerrit.wikimedia.org/r/858399

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.12; 2022-11-28).Nov 17 2022, 8:00 PM
gerritbot added a comment.Jan 4 2023, 8:13 PM

Change 856505 merged by jenkins-bot:

[mediawiki/core@master] Message::rawParam: Add novel 'exec_html' annotation

https://gerrit.wikimedia.org/r/856505

Maintenance_bot removed a project: Patch-For-Review.Jan 4 2023, 8:30 PM
ReleaseTaggerBot edited projects, added MW-1.40-notes (1.40.0-wmf.18; 2023-01-09); removed MW-1.40-notes (1.40.0-wmf.12; 2022-11-28).Jan 4 2023, 9:00 PM
gerritbot added a comment.Jan 6 2023, 3:37 PM

Change 876209 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/extensions/CentralAuth@master] phan: Suppress unlikely XSS warning from phan in LogFormatter

https://gerrit.wikimedia.org/r/876209

gerritbot added a project: Patch-For-Review.Jan 6 2023, 3:37 PM
gerritbot added a comment.Jan 6 2023, 3:40 PM

Change 876210 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/extensions/Renameuser@master] phan: Suppress unlikely XSS warning from phan in LogFormatter

https://gerrit.wikimedia.org/r/876210

gerritbot added a comment.Jan 6 2023, 3:42 PM

Change 876211 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/extensions/LegalLogin@master] phan: Suppress unlikely XSS warning from phan in LogFormatter

https://gerrit.wikimedia.org/r/876211

gerritbot added a comment.Jan 6 2023, 3:46 PM

Change 876213 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/extensions/GrowthExperiments@master] phan: Suppress unlikely XSS warning from phan in LogFormatter

https://gerrit.wikimedia.org/r/876213

gerritbot added a comment.Jan 6 2023, 4:06 PM

Change 876218 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/extensions/Flow@master] phan: Suppress SecurityCheckMulti for AbstractRevision::setContentRaw

https://gerrit.wikimedia.org/r/876218

gerritbot added a comment.Jan 7 2023, 9:19 AM

Change 876211 abandoned by Umherirrender:

[mediawiki/extensions/LegalLogin@master] Fix message escaping in LogFormatter

Reason:

Done with I49cc78cd06f4b84a7a55e43e3c731455c57b687e

https://gerrit.wikimedia.org/r/876211

gerritbot added a comment.Jan 8 2023, 10:43 PM

Change 876209 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] phan: Suppress unlikely XSS warning from phan in LogFormatter

https://gerrit.wikimedia.org/r/876209

kostajh added a subtask: T326549: SecurityCheck-XSS Calling method \GrowthExperiments\Mentorship\MentorChangeLogFormatter::formatParameterValue() in \GrowthExperiments\Mentorship\MentorChangeLogFormatter::extractParameters that outputs using tainted argument #2.Jan 9 2023, 12:14 PM
gerritbot added a comment.Jan 9 2023, 12:37 PM

Change 876213 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] phan: Suppress unlikely XSS warning from phan in LogFormatter

https://gerrit.wikimedia.org/r/876213

kostajh closed subtask T326549: SecurityCheck-XSS Calling method \GrowthExperiments\Mentorship\MentorChangeLogFormatter::formatParameterValue() in \GrowthExperiments\Mentorship\MentorChangeLogFormatter::extractParameters that outputs using tainted argument #2 as Resolved.Jan 9 2023, 12:38 PM
gerritbot added a comment.Jan 11 2023, 11:43 AM

Change 876218 merged by jenkins-bot:

[mediawiki/extensions/Flow@master] phan: Suppress SecurityCheckMulti for AbstractRevision::setContentRaw

https://gerrit.wikimedia.org/r/876218

ReleaseTaggerBot edited projects, added MW-1.40-notes (1.40.0-wmf.19; 2023-01-16); removed MW-1.40-notes (1.40.0-wmf.18; 2023-01-09).Jan 11 2023, 12:00 PM
Daimona closed this task as Resolved.Jan 21 2023, 10:45 PM
Daimona removed a project: Patch-For-Review.

I'm assuming this is done, thanks all!

gerritbot added a comment.Jan 21 2023, 10:46 PM

Change 876210 merged by jenkins-bot:

[mediawiki/extensions/Renameuser@master] phan: Suppress unlikely XSS warning from phan in LogFormatter

https://gerrit.wikimedia.org/r/876210

ReleaseTaggerBot edited projects, added MW-1.40-notes (1.40.0-wmf.20; 2023-01-23); removed MW-1.40-notes (1.40.0-wmf.19; 2023-01-16).Jan 21 2023, 11:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits