Page MenuHomePhabricator
Create Task
Maniphest T416090

CVE-2026-34094: Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix
Closed, ResolvedPublicSecurity
Actions

Assigned To
matmarex
Authored By
Iniquity
Feb 1 2026, 1:22 PM
Tags
Referenced Files
F72106449: 01-T416090-REL1_45.patch
Feb 15 2026, 1:03 AM
F72106448: 01-T416090-REL1_44.patch
Feb 15 2026, 1:03 AM
F72106447: 01-T416090-REL1_43.patch
Feb 15 2026, 1:03 AM
F72106405: 01-T416090.patch
Feb 15 2026, 12:54 AM
F71643142: image.png
Feb 1 2026, 1:22 PM
Subscribers
Aklapper
gerritbot
Iniquity
matmarex
sbassett

Description

Steps to replicate the issue (include links if applicable):

What happens?:
BASEPAGENAME is added to the link.

image.png (800×2 px, 385 KB)

What should have happened instead?:
The link from https://ru.wikipedia.org/wiki/MediaWiki:Protection-editautoreviewprotected-helppage leads directly to the page.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Validate link target for protection indicators help pagemediawiki/coremaster+1 -1
SECURITY: Validate link target for protection indicators help pagemediawiki/coreREL1_43+1 -1
SECURITY: Validate link target for protection indicators help pagemediawiki/coreREL1_44+2 -1
SECURITY: Validate link target for protection indicators help pagemediawiki/coreREL1_45+2 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Iniquity created this task.Feb 1 2026, 1:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 1 2026, 1:22 PM
Iniquity moved this task from Backlog to Indicators on the MediaWiki-Page-protection board.Feb 1 2026, 1:23 PM
Iniquity renamed this task from The name of the main page on the subpage is inserted into the indicator link to BASEPAGENAME of the subpage is inserted into the 'indicator' link.Feb 1 2026, 1:32 PM
Iniquity added a subscriber: matmarex.EditedFeb 14 2026, 2:01 PM

@matmarex hi! may you please look in it? :(

Iniquity updated the task description. (Show Details)Feb 14 2026, 2:02 PM
matmarex claimed this task.Feb 15 2026, 12:53 AM
matmarex set Security to Software security bug.
matmarex added projects: Security, Security-Team.
matmarex changed the visibility from "Public (No Login Required)" to "Custom Policy".
matmarex changed the subtype of this task from "Bug Report" to "Security Issue".
matmarex added a project: Patch-For-Review.

Thanks for the bug report! In addition to the incorrect appearance, this is actually a low-severity security issue – the link doesn't work correctly because the link target is not validated, which would also allow an administrator to insert JavaScript into the page, which should be reserved for interface administrators only. Hence I turned this into a private bug report.

Patch:

01-T416090.patch993 BDownload

I hope we'll be able to deploy it and then make it public soon.

For the record, the bug was introduced in https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1033697, in MediaWiki 1.43. Only wikis using $wgEnableProtectionIndicators are affected (it used to be disabled by default, but is enabled since MediaWiki 1.45: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1192525).

matmarex added a comment.Feb 15 2026, 1:03 AM

Patches for release versions:

01-T416090-REL1_43.patch993 BDownload

01-T416090-REL1_44.patch1 KBDownload

01-T416090-REL1_45.patch1 KBDownload

sbassett moved this task from Incoming to In Progress on the Security-Team board.Feb 17 2026, 4:49 PM
sbassett added projects: SecTeam-Processed, Vuln-Misconfiguration.
sbassett moved this task from In Progress to Security Patch To Deploy on the Security-Team board.Feb 19 2026, 5:53 PM
sbassett subscribed.
In T416090#11618018, @matmarex wrote:

Patch:

01-T416090.patch993 BDownload

I hope we'll be able to deploy it and then make it public soon.

CR+2, I think we can get this out during next Monday's security deployment window.

sbassett changed the task status from Open to In Progress.Feb 19 2026, 5:53 PM
sbassett triaged this task as Medium priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed Risk Rating from N/A to Medium.
matmarex renamed this task from BASEPAGENAME of the subpage is inserted into the 'indicator' link to Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix.Feb 20 2026, 6:20 PM
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Feb 23 2026, 11:10 PM

Deployed to 1.46.0-wmf.16. Looks stable.

sbassett added a parent task: Restricted Task.Feb 23 2026, 11:13 PM
Reedy renamed this task from Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix to CVE-2026-34094: Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix.Wed, Mar 25, 6:18 PM
Reedy added projects: MW-1.44-release, MW-1.45-release, MW-1.43-release.
Reedy added a subscriber: gerritbot.
Reedy closed this task as Resolved.Wed, Mar 25, 7:15 PM
gerritbot added a comment.Wed, Apr 1, 12:16 AM

Change #1265641 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/core@master] SECURITY: Validate link target for protection indicators help page

https://gerrit.wikimedia.org/r/1265641

gerritbot added a comment.Wed, Apr 1, 1:16 AM

Change #1265656 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/core@REL1_45] SECURITY: Validate link target for protection indicators help page

https://gerrit.wikimedia.org/r/1265656

gerritbot added a comment.Wed, Apr 1, 1:21 AM

Change #1265662 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/core@REL1_44] SECURITY: Validate link target for protection indicators help page

https://gerrit.wikimedia.org/r/1265662

gerritbot added a comment.Wed, Apr 1, 1:23 AM

Change #1265668 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/core@REL1_43] SECURITY: Validate link target for protection indicators help page

https://gerrit.wikimedia.org/r/1265668

gerritbot added a comment.Wed, Apr 1, 1:48 AM

Change #1265656 merged by jenkins-bot:

[mediawiki/core@REL1_45] SECURITY: Validate link target for protection indicators help page

https://gerrit.wikimedia.org/r/1265656

gerritbot added a comment.Wed, Apr 1, 1:57 AM

Change #1265641 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Validate link target for protection indicators help page

https://gerrit.wikimedia.org/r/1265641

gerritbot added a comment.Wed, Apr 1, 2:18 AM

Change #1265662 merged by jenkins-bot:

[mediawiki/core@REL1_44] SECURITY: Validate link target for protection indicators help page

https://gerrit.wikimedia.org/r/1265662

gerritbot added a comment.Wed, Apr 1, 2:33 AM

Change #1265668 merged by jenkins-bot:

[mediawiki/core@REL1_43] SECURITY: Validate link target for protection indicators help page

https://gerrit.wikimedia.org/r/1265668

matmarex removed a project: Patch-For-Review.Tue, Apr 7, 9:28 PM
matmarex changed the visibility from "Custom Policy" to "Public (No Login Required)".
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits