Page MenuHomePhabricator
Create Task
Maniphest T360504

i18n XSS vulnerability in message 'tux-nojs'
Closed, ResolvedPublicSecurity
Actions

Description

Discovered with $wgUseXssLanguage.

To reproduce:

  • Visit Special:Translate with ?uselang=x-xss.
  • Visit Special:AggregateGroups with ?uselang=x-xss
  • Visit Special:PageMigration with ?uselang=x-xss
  • Visit Special:PagePreparation with ?uselang=x-xss
  • Visit Special:ManageTranslatorSandbox with ?uselang=x-xss

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Change message formatting in 'tux-nojs' messagemediawiki/extensions/Translatemaster+5 -5
Customize query in gerrit

Event Timeline

jhsoby created this task.Mar 20 2024, 9:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 20 2024, 9:30 AM
jhsoby added projects: MediaWiki-extensions-Translate, Vuln-XSS, Patch-For-Review.Mar 20 2024, 9:33 AM
jhsoby added subscribers: Nikerabbit, abi_.

Patch for review:

T360504.patch3 KBDownload

Nikerabbit added a comment.Mar 20 2024, 9:52 AM

Seems to have been introduced in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Translate/+/772056

Maybe ->escaped() would be better than ->parse() to match the original behavior.

jhsoby added a comment.Mar 20 2024, 10:10 AM

Wouldn't parsing be better if it's possible? I can imagine some languages may have a convention of putting "foreign terms" like JavaScript in italics, for instance.

sbassett subscribed.Mar 20 2024, 2:19 PM
In T360504#9645158, @jhsoby wrote:

Wouldn't parsing be better if it's possible? I can imagine some languages may have a convention of putting "foreign terms" like JavaScript in italics, for instance.

Looking through the Message, MessageCache and Parser code within core, parse and escaped are very similar, though escaped does add the extra htmlspecialchars call, which is likely safer (and shouldn't affect strings like "JavaScript") and maybe a bit better at discouraging the use of html in message strings which, from a security perspective, we'd like to actively discourage unless critically necessary.

abi_ triaged this task as High priority.Mar 21 2024, 8:24 AM
abi_ moved this task from Backlog to maintenance and operational issues on the MediaWiki-extensions-Translate board.
Mstyles subscribed.Mar 25 2024, 8:08 PM

I updated the existing patch to used escaped instead of parsed. If we agree to move forward with this, I can upload this on gerrit so that we can address this issue faster.

T360504-2.patch3 KBDownload

jhsoby added a subscriber: gerritbot.Mar 26 2024, 3:45 PM
gerritbot added a comment.Mar 26 2024, 3:47 PM

Change #1014537 had a related patch set uploaded (by Jon Harald Søby; author: Jon Harald Søby):

[mediawiki/extensions/Translate@master] Change message formatting in 'tux-nojs' message

https://gerrit.wikimedia.org/r/1014537

gerritbot added a comment.Mar 27 2024, 6:20 AM

Change #1014537 merged by jenkins-bot:

[mediawiki/extensions/Translate@master] Change message formatting in 'tux-nojs' message

https://gerrit.wikimedia.org/r/1014537

Jdforrester-WMF added a project: MW-1.42-notes (1.42.0-wmf.25; 2024-04-02).Mar 27 2024, 1:22 PM
sbassett closed this task as Resolved.Mar 27 2024, 2:55 PM
sbassett assigned this task to jhsoby.
sbassett lowered the priority of this task from High to Medium.
sbassett removed a project: Patch-For-Review.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a project: SecTeam-Processed.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits