Page MenuHomePhabricator
Create Task
Maniphest T412068

CVE-2026-22712: ApprovedRevs allows bypassing the inline CSS sanitizer due to magic word replacement in ParserAfterTidy
Closed, ResolvedPublicSecurity
Actions

Description

ApprovedRevs replaces the __APPROVEDREVS__ magic word in the ParserAfterTidy hook, allowing the inline CSS sanitizer to be bypassed.

Reproduction steps

  1. Go to /wiki/Special:ExpandTemplates?wpInput=%3Cpre%20style%3D%22background%3A%20u__APPROVEDREVS__rl%28%27%2F%2Fhttp.cat%2F418%27%29%22%2F%3E
  2. Observe that an HTTP request to https://http.cat/418 is sent because the CSS sanitizer was bypassed

image.png (600×642 px, 28 KB)

Cause

ApprovedRevs performs to magic word replacement in the ParserAfterTidy hook: https://github.com/wikimedia/mediawiki-extensions-ApprovedRevs/blob/caf00bf928471fe6e30e8b1d7d3fea1de524e37f/includes/ApprovedRevsHooks.php#L956-L973
When this hook is run, strip markers are already unstripped. Because user-provided attribute values in elements inserted via strip markers (like the pre tag) are generally not safely encoded to escape underscores or other wikitext syntax, the __APPROVEDREVS__ magic word will be replaced in the style attribute of the <pre> element.

Additional information

  • MediaWiki: 1.46.0-alpha
  • Approved Revs: caf00bf

Details

Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Change from ParserAfterTidy to InternalParseBeforeLinks hookmediawiki/extensions/ApprovedRevsREL1_45+4 -3
Change from ParserAfterTidy to InternalParseBeforeLinks hookmediawiki/extensions/ApprovedRevsREL1_44+4 -3
Change from ParserAfterTidy to InternalParseBeforeLinks hookmediawiki/extensions/ApprovedRevsmaster+4 -3
Customize query in gerrit

Related Objects

Event Timeline

SomeRandomDeveloper created this task.Dec 9 2025, 12:29 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2025, 12:29 AM
SomeRandomDeveloper changed the task status from Open to Stalled.Dec 9 2025, 12:31 AM
SomeRandomDeveloper claimed this task.
SomeRandomDeveloper added projects: Vuln-Infoleak, MediaWiki-extensions-Approved-Revs.
This comment was removed by SomeRandomDeveloper.
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Dec 16 2025, 5:52 PM
SomeRandomDeveloper changed the task status from Stalled to Open.Dec 17 2025, 9:55 PM
SomeRandomDeveloper added a subscriber: Yaron_Koren.

(Reopening as this is no longer blocked)

SomeRandomDeveloper added a comment.Dec 17 2025, 9:56 PM

@Yaron_Koren is there any specific reason the extension uses ParserAfterTidy here? Otherwise, I think an easy fix would be to just use InternalParseBeforeLinks instead

SomeRandomDeveloper mentioned this in T404620: Write and send supplementary release announcement for extensions and skins with security patches (1.39.16/1.43.6/1.44.3/1.45.1).Dec 17 2025, 9:58 PM
SomeRandomDeveloper added a comment.Dec 17 2025, 10:05 PM

Patch:

T412068.patch1 KBDownload

Yaron_Koren added a comment.Dec 18 2025, 12:39 AM

Wow, what a simple fix! No, there's no specific reason why it's using ParserAfterTidy - I'm guessing that I just copied that from another extension.

Yaron_Koren added subscribers: JeffreyWang, JeroenDeDauw.Dec 18 2025, 12:46 AM
sbassett added subscribers: gerritbot, sbassett.EditedDec 18 2025, 5:16 PM
In T412068#11470872, @SomeRandomDeveloper wrote:

Patch:

T412068.patch1 KBDownload

Seems sane. I believe this can just be pushed through gerrit when you're ready. And then we'll likely re-announce it with T404620 if it's merged by early January 2026.

Yaron_Koren added a comment.Dec 18 2025, 6:19 PM

I plan to take care of this later today, unless anyone wants me to wait longer.

gerritbot added a comment.Dec 18 2025, 11:14 PM

Change #1219656 had a related patch set uploaded (by Yaron Koren; author: Yaron Koren):

[mediawiki/extensions/ApprovedRevs@master] Change from ParserAfterTidy to InternalParseBeforeLinks hook

https://gerrit.wikimedia.org/r/1219656

gerritbot added a project: Patch-For-Review.Dec 18 2025, 11:14 PM
gerritbot added a comment.Dec 19 2025, 12:11 AM

Change #1219656 merged by jenkins-bot:

[mediawiki/extensions/ApprovedRevs@master] Change from ParserAfterTidy to InternalParseBeforeLinks hook

https://gerrit.wikimedia.org/r/1219656

SomeRandomDeveloper closed this task as Resolved.Dec 21 2025, 1:45 AM
gerritbot added a comment.Jan 7 2026, 7:12 PM

Change #1224161 had a related patch set uploaded (by Mstyles; author: Yaron Koren):

[mediawiki/extensions/ApprovedRevs@REL1_45] Change from ParserAfterTidy to InternalParseBeforeLinks hook

https://gerrit.wikimedia.org/r/1224161

gerritbot added a comment.Jan 7 2026, 7:13 PM

Change #1224162 had a related patch set uploaded (by Mstyles; author: Yaron Koren):

[mediawiki/extensions/ApprovedRevs@REL1_44] Change from ParserAfterTidy to InternalParseBeforeLinks hook

https://gerrit.wikimedia.org/r/1224162

gerritbot added a comment.Jan 7 2026, 7:30 PM

Change #1224162 merged by jenkins-bot:

[mediawiki/extensions/ApprovedRevs@REL1_44] Change from ParserAfterTidy to InternalParseBeforeLinks hook

https://gerrit.wikimedia.org/r/1224162

gerritbot added a comment.Jan 7 2026, 7:31 PM

Change #1224161 merged by jenkins-bot:

[mediawiki/extensions/ApprovedRevs@REL1_45] Change from ParserAfterTidy to InternalParseBeforeLinks hook

https://gerrit.wikimedia.org/r/1224161

Mstyles renamed this task from ApprovedRevs allows bypassing the inline CSS sanitizer due to magic word replacement in ParserAfterTidy to CVE-2026-22712: ApprovedRevs allows bypassing the inline CSS sanitizer due to magic word replacement in ParserAfterTidy.Jan 9 2026, 12:06 AM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Maintenance_bot removed a project: Patch-For-Review.Jan 9 2026, 12:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits