Found with r902363 which annotates some methods as unsafe. There are some genuine vulnerabilities in BlockLogFormatter, specifically in the code for partial blocks:
$actions = $params[6]['actions'] ?? []; $actions = array_map( function ( $actions ) { return $this->msg( 'ipb-action-' . $actions )->text(); }, $actions ); $restrictions = []; if ( $pages ) { $restrictions[] = $this->msg( 'logentry-partialblock-block-page' ) ->numParams( count( $pages ) ) ->rawParams( $this->context->getLanguage()->listToText( $pages ) )->text(); } if ( $namespaces ) { $restrictions[] = $this->msg( 'logentry-partialblock-block-ns' ) ->numParams( count( $namespaces ) ) ->rawParams( $this->context->getLanguage()->listToText( $namespaces ) )->text(); } $enablePartialActionBlocks = $this->context->getConfig() ->get( MainConfigNames::EnablePartialActionBlocks ); if ( $actions && $enablePartialActionBlocks ) { $restrictions[] = $this->msg( 'logentry-partialblock-block-action' ) ->numParams( count( $actions ) ) ->rawParams( $this->context->getLanguage()->listToText( $actions ) )->text(); // <-- Unsafe use of rawParams because $actions is built with Message::text() } $params[6] = Message::rawParam( $this->context->getLanguage()->listToText( $restrictions ) );// <-- Unsafe use of rawParam because $restrictons is built with Message::text()
These can be reproduced by:
- Adding <script>alert()</script> or something like that to ipb-action-* and logentry-partialblock-block-* messages
- Enabling action blocks with $wgEnablePartialActionBlocks = true;
- Blocking someone selecting all options for partial blocks
- Going to their contributions page