Page MenuHomePhabricator
Create Task
Maniphest T386175

CVE-2025-32072: HTML injection in feed output from i18n message
Closed, ResolvedPublicSecurity
Actions

Description

When emitting a news feed item for the creation of a wikitext page, the newpage message text is directly included in the output without being escaped:

FeedUtils::formatDiffRow2()
				$diffText = Html::rawElement(
					'p',
					[],
					Html::rawElement( 'b', [], wfMessage( 'newpage' )->text() )
				);

Tested locally with &uselang=x-xss:

<summary type="html">
<p>Created blank page</p> <p><b><script>alert('newpage')</script>"><script>alert('newpage')</script><x y="()</b></p><div></div>
</summary>

I’m not sure what the impact of this is – I hesitate to call it “XSS” because I don’t think this would usually be shown in the user’s normal browsing context, where script execution is really problematic. But we should still fix it; at a minimum, I assume this allows a wiki admin to make the feed output confusing and/or malformed.

This was actually noticed a few years ago. When @DannyS712 ported this code from bare string manipulation to the Html class (Gerrit change) –

-				$diffText = '<p><b>' . wfMessage( 'newpage' )->text() . '</b></p>' .
-					'<div>' . $html . '</div>';
+				$diffText = Html::rawElement(
+					'p',
+					[],
+					Html::rawElement( 'b', [], wfMessage( 'newpage' )->text() )
+				);

@thiemowmde commented:

This allows HTML injections, I believe. Let's make sure we fix this (in another patch).

And then, as far as I can tell, nothing happened beyond that. :|

Details

Author Affiliation
Wikimedia Deutschland
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Escape newpage message in FeedUtilsmediawiki/coreREL1_39+2 -2
SECURITY: Escape newpage message in FeedUtilsmediawiki/coreREL1_43+1 -1
SECURITY: Escape newpage message in FeedUtilsmediawiki/coreREL1_42+1 -1
Escape newpage message in FeedUtilsmediawiki/coremaster+1 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedReedyT389313 Formally EOL MW 1.42
Restricted Task
Restricted Task
 ResolvedSecurityLucas_Werkmeister_WMDET386175 CVE-2025-32072: HTML injection in feed output from i18n message

Event Timeline

Lucas_Werkmeister_WMDE created this task.Feb 12 2025, 10:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 12 2025, 10:29 AM
Lucas_Werkmeister_WMDE added a comment.Feb 12 2025, 10:30 AM

Suggested fix:

0001-SECURITY-Escape-newpage-message-in-FeedUtils.patch885 BDownload

diff --git a/includes/Feed/FeedUtils.php b/includes/Feed/FeedUtils.php
index c180da2ff5..4896c5ca28 100644
--- a/includes/Feed/FeedUtils.php
+++ b/includes/Feed/FeedUtils.php
@@ -254 +254 @@ public static function formatDiffRow2(
-					Html::rawElement( 'b', [], wfMessage( 'newpage' )->text() )
+					Html::element( 'b', [], wfMessage( 'newpage' )->text() )
Lucas_Werkmeister_WMDE added a comment.Feb 12 2025, 10:36 AM

(The newpage message doesn’t appear to contain any markup in any of the translations tracked in MediaWiki core.)

Aklapper added a project: MediaWiki-General.Feb 12 2025, 12:19 PM
thiemowmde added a comment.Feb 13 2025, 9:45 AM

That's why I usually create such follow-up patches right away. 😅️ I can't tell why we forgot to do that back then. Sure thing, let's do that.

I agree this is hard, if not impossible to exploit and probably not critical.

sbassett added subscribers: gerritbot, sbassett.Feb 14 2025, 3:53 PM
In T386175#10543610, @Lucas_Werkmeister_WMDE wrote:

Suggested fix:

0001-SECURITY-Escape-newpage-message-in-FeedUtils.patch885 BDownload

CR+1, this should just go through gerrit and then we can add it to the upcoming supplemental release (T382326).

Lucas_Werkmeister_WMDE added a comment.Feb 14 2025, 4:18 PM

Alright, I’ll upload it on Monday.

gerritbot added a comment.Feb 17 2025, 9:14 AM

Change #1120134 had a related patch set uploaded (by Lucas Werkmeister (WMDE); author: Lucas Werkmeister (WMDE)):

[mediawiki/core@master] Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1120134

gerritbot added a project: Patch-For-Review.Feb 17 2025, 9:15 AM
gerritbot added a comment.Feb 17 2025, 10:04 AM

Change #1120134 merged by jenkins-bot:

[mediawiki/core@master] Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1120134

Jdforrester-WMF added a project: MW-1.44-notes (1.44.0-wmf.17; 2025-02-18).Feb 17 2025, 4:25 PM
sbassett mentioned this in T382326: Write and send supplementary release announcement for extensions and skins with security patches (1.39.12/1.42.6/1.43.1).Feb 19 2025, 6:10 PM
sbassett edited projects, added SecTeam-Processed; removed Patch-For-Review, Security-Team.Feb 19 2025, 6:12 PM
Mstyles renamed this task from HTML injection in feed output from i18n message to CVE-2025-32072: HTML injection in feed output from i18n message.Apr 11 2025, 5:04 PM
Mstyles closed this task as Resolved.
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
taavi subscribed.Apr 17 2025, 5:06 PM

I'm a bit confused what exactly happened here. As far as I can tell this is a bug in core. Why was this not backported to supported branches? Why was it included in the announcement for non-bundled extensions/skins instead of the main point release announcement?

sbassett added a comment.Apr 17 2025, 7:11 PM
In T386175#10753027, @taavi wrote:

I'm a bit confused what exactly happened here. As far as I can tell this is a bug in core. Why was this not backported to supported branches? Why was it included in the announcement for non-bundled extensions/skins instead of the main point release announcement?

It was deemed low-risk, so we just pushed it through gerrit. It was accidentally included in the recent supplemental release; you're correct that it should have been a part of the core release. That's also the reason backports to supported release branches weren't performed, though we can do those now.

gerritbot added a comment.Apr 17 2025, 7:12 PM

Change #1137346 had a related patch set uploaded (by SBassett; author: Lucas Werkmeister (WMDE)):

[mediawiki/core@REL1_43] Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1137346

gerritbot added a project: Patch-For-Review.Apr 17 2025, 7:12 PM

Change #1137347 had a related patch set uploaded (by SBassett; author: Lucas Werkmeister (WMDE)):

[mediawiki/core@REL1_42] Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1137347

gerritbot added a comment.Apr 17 2025, 7:12 PM

Change #1137348 had a related patch set uploaded (by SBassett; author: Lucas Werkmeister (WMDE)):

[mediawiki/core@REL1_39] Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1137348

gerritbot added a comment.Apr 18 2025, 2:11 AM

Change #1137347 merged by jenkins-bot:

[mediawiki/core@REL1_42] SECURITY: Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1137347

gerritbot added a comment.Apr 18 2025, 2:14 AM

Change #1137346 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1137346

Legoktm mentioned this in T392276: CVE-2025-6591: HTML injection in API action=feedcontributions output from i18n message.Apr 18 2025, 2:29 AM
ReleaseTaggerBot added projects: MW-1.43-notes, MW-1.42-notes.Apr 18 2025, 3:00 AM
Legoktm mentioned this in T392279: CVE-2025-53502: HTML injection in FeaturedFeeds output from i18n message.Apr 18 2025, 3:38 AM
gerritbot added a comment.Apr 18 2025, 2:25 PM

Change #1137348 abandoned by SBassett:

[mediawiki/core@REL1_39] SECURITY: Escape newpage message in FeedUtils

Reason:

See above comments

https://gerrit.wikimedia.org/r/1137348

gerritbot added a comment.Apr 21 2025, 3:28 PM

Change #1137348 restored by SBassett:

[mediawiki/core@REL1_39] SECURITY: Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1137348

gerritbot added a comment.Apr 22 2025, 1:04 PM

Change #1137348 merged by jenkins-bot:

[mediawiki/core@REL1_39] SECURITY: Escape newpage message in FeedUtils

https://gerrit.wikimedia.org/r/1137348

ReleaseTaggerBot added a project: MW-1.39-notes.Apr 22 2025, 2:00 PM
Reedy added a parent task: Restricted Task.Jun 24 2025, 8:31 PM
Reedy removed a project: Patch-For-Review.Jun 25 2025, 12:19 AM
sbassett assigned this task to Lucas_Werkmeister_WMDE.Jul 8 2025, 9:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits