patch from Kevin
I'm the "Wikipedia user PleaseStand" who reported the clickjacking
vulnerability in 2010, and I think I have another security issue to report.
On the English Wikipedia's technical village pump, user Kelisi reported
that a certain article's history page would show a "Fatal exception of
type MWException" only when he was logged in.
I debugged the issue and found that the cause was an inefficient regex
in includes/Linker.php in core MediaWiki. Specifically, the regex hit
the PCRE backtrack limit while processing an edit summary, so
preg_replace_callback() returned null. The fatal exception occurred when
the null value was to be inserted as a message parameter.
I'm reporting this issue through private e-mail, as I know such
exponential behavior can allow for denial of service attacks, and I'm
sure the vandals would enjoy making it hard for people to revert their
They just have to put something like this in their edit summaries:
[[aaaa]|aaaa]|aaaa]| ... (repeated at least 13 times more)
and that would break recent changes, watchlists, and history pages all
at once. The API, by the way, just returns null for the "parsedcomment".
I have attached a patch that should fix the regex. Feel free to make any
improvements. I've tested it against the recent histories (newest 1000
revisions) of three English Wikipedia articles.
Keep in mind it's possible that someone might inadvertently add
information to the village pump thread that makes it easier to find the
vulnerability (e.g. a broken diff link).
Also, if I would like to report a vulnerability in a user-created
Wikipedia gadget, where should I send the report to? Here? I think I may
have found an unrelated vulnerability in Twinkle, although it might be
tricky to exploit.
Kevin Israel (Wikipedia user PleaseStand)
try clicking on one of the diff links