Page MenuHomePhabricator
Create Task
Maniphest T331311

CVE-2023-37256: Cargo allows storing javascript URLs in URL fields, and automatically linking them
Closed, ResolvedPublicSecurity
Actions

Description

You can declare a cargo table with a field of type URL. You can then store urls like javascript:alert(1) in them. These urls can be malicious and a user could be tricked into clicking on them. Cargo should probably not allow storing javascript: scheme urls

Note: Its notoriously difficult to blacklist javascript: protocol urls, because browsers accept lots of variants. MediaWiki usually solves this problem by whitelisting good url protocols, although i don't know if cargo considers it acceptable to only allow a small set of good urls. Maybe cargo should allow everything, but only automatically link things that meet wfUrlProtocols();

Details

Author Affiliation
Other (Please specify in description)

Related Objects

Event Timeline

Bawolff created this task.Mar 6 2023, 4:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 6 2023, 4:52 PM
Bawolff added a project: MediaWiki-extensions-Cargo.Mar 6 2023, 4:52 PM
Bawolff added a subscriber: Yaron_Koren.
Bawolff mentioned this in T331065: CVE-2023-37254: Extension:Cargo XSS in Special:CargoQuery using default format.Mar 6 2023, 5:24 PM
Bawolff changed Author Affiliation from N/A to Other (Please specify in description).Mar 6 2023, 5:54 PM
Yaron_Koren added a comment.Mar 6 2023, 10:03 PM

@Bawolff - thanks for finding that! I believe this is fixed in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Cargo/+/894679

Bawolff added a comment.Mar 7 2023, 2:00 AM

I think you'd need to escape $value if $escapeValue is true.

Otherwise looks good.

Grunny added a subscriber: TK-999.Mar 7 2023, 9:34 PM
Yaron_Koren closed this task as Resolved.Mar 7 2023, 11:39 PM
Yaron_Koren claimed this task.

Good point - I added that here:

https://phabricator.wikimedia.org/rECRG86914225af228f48b52df69b478cc1e6f3cb5b9a

...so I think this task can be closed.

Bawolff added a comment.Apr 5 2023, 11:36 AM

[marking as public since resolved]

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 5 2023, 11:36 AM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 5 2023, 2:35 PM
mmartorana renamed this task from Cargo allows storing javascript URLs in URL fields, and automatically linking them to CVE-2023-37256: Cargo allows storing javascript URLs in URL fields, and automatically linking them.Jun 30 2023, 5:56 PM
Mstyles moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 30 2023, 5:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL