Page MenuHomePhabricator
Create Task
Maniphest T414901

ReDOS via Regex Injection in XTools
Closed, ResolvedPublicSecurity
Actions

Description

XTools tries to block crawlers rapidly crawling translations of pages based on the use of the uselang query parameter, while ignoring cases where the target project's language and the requested language are the same. However, this is checked by concatenating the language code directly in a regex (https://github.com/x-tools/xtools/blob/a2afff0d5425c7c8d9d0cd9881d9969c63eb72cc/src/EventSubscriber/RateLimitSubscriber.php#L175). This could be used to carry out ReDOS attacks by supplying uselang=(a+)+ in the URI which would result in the creation of this pattern of exponential time complexity: /[=\/](a+)+.?wik/.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

Redmin created this task.Jan 19 2026, 6:17 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 19 2026, 6:18 AM
Redmin added a project: XTools.Jan 19 2026, 6:18 AM

Why not use preg_quote() to mitigate this?

Redmin added a project: Vuln-DoS.Jan 19 2026, 6:21 AM
sbassett edited projects, added SecTeam-Processed, Cloud-VPS; removed Security-Team.Jan 20 2026, 6:55 PM
sbassett added subscribers: MusikAnimal, Samwilson, sbassett.
In T414901#11532301, @Redmin wrote:

Why not use preg_quote() to mitigate this?

Yes, that should be sufficient:

> php -r "echo preg_quote('(a+)+');"
> \(a\+\)\+

Tagging a couple of the most recent project maintainers...

Restricted Application added a project: cloud-services-team. · View Herald TranscriptJan 20 2026, 6:56 PM
Samwilson added a comment.EditedJan 21 2026, 1:24 AM

Like this?

diff --git a/src/EventSubscriber/RateLimitSubscriber.php b/src/EventSubscriber/RateLimitSubscriber.php
index 64b6bd28..31951c14 100644
--- a/src/EventSubscriber/RateLimitSubscriber.php
+++ b/src/EventSubscriber/RateLimitSubscriber.php
@@ -172,7 +172,7 @@ class RateLimitSubscriber implements EventSubscriberInterface {
 
                // If requesting the same language as the target project, ignore.
                // FIXME: This has side-effects (T384711#10759078)
-               if ( preg_match( "/[=\/]$useLang.?wik/", $this->uri ) === 1 ) {
+               if ( preg_match( '/[=\/]' . preg_quote( $useLang ) . '?wik/', $this->uri ) === 1 ) {
                        return;
                }
Samwilson added a subscriber: Alien333.Jan 21 2026, 1:44 AM

Adding another XTools maintainer.

taavi removed projects: cloud-services-team, Cloud-VPS.Jan 21 2026, 11:20 AM
taavi subscribed.

Does not seem to be a Cloud-VPS infrastructure issue, thus untagging us.

Redmin added a comment.Jan 21 2026, 1:28 PM
In T414901#11540046, @Samwilson wrote:

Like this?
...

Yep, that's sufficient.

sbassett added a comment.Jan 21 2026, 4:07 PM

The best path forward here is to probably create a public pull request for the xtools repo and then quickly merge and deploy it to the cloud project.

Samwilson mentioned this in rXTa9f106565b60: Escape uselang param when checking against project name.Jan 21 2026, 11:42 PM
Samwilson added a comment.Jan 22 2026, 12:09 AM

Done:

https://github.com/x-tools/xtools/pull/615
https://github.com/x-tools/xtools/pull/616

And I've released version 3.24.1 with the change. That will be auto deployed within ten minutes.

sbassett added a comment.Jan 22 2026, 3:50 PM
In T414901#11543697, @Samwilson wrote:

Done:

https://github.com/x-tools/xtools/pull/615
https://github.com/x-tools/xtools/pull/616

And I've released version 3.24.1 with the change. That will be auto deployed within ten minutes.

Thanks! I'd like to resolve this task and make it public now unless you have any other concerns.

Samwilson added a comment.Jan 23 2026, 1:36 AM

Yep fine by me. Unless @Redmin wants to double-check first?

Redmin added a comment.Jan 23 2026, 4:24 AM

Nah, thanks for patching this; it looks good.

sbassett closed this task as Resolved.Jan 23 2026, 2:51 PM
sbassett triaged this task as Medium priority.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
Redmin mentioned this in T415379: Request to add Redmin to Security Team's Hall of Fame.Jan 23 2026, 3:48 PM
1234qwer1234qwer4 moved this task from Backlog to Complete on the XTools board.Apr 11 2026, 12:37 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits