Page MenuHomePhabricator
Create Task
Maniphest T44626

Placeholder for bugs related to security audit of REPO
Closed, ResolvedPublic
Actions

Description

Can't find the correct bug, using this as a placeholder for now.

There are several bugs reported in an email. This lists the issues and fixes for the repo.

  • This code pattern is used a lot in the api, and allows CSRF:

$editEntity->attemptSave(... , ..., isset( $params['token'] ) ?
$params['token'] : false );

  • Permissions (authorization checks) are very inconsistently checked.

They need to be checked to at least enable admins to block people
abusing the site.

./repo/includes/actions/ViewEntityAction.php

  • Please escape $labelText on line 170, or use setPageTitle

./repo/includes/api/ApiCreateClaim.php

  • CSRF

./repo/includes/api/ApiGetEntities.php

  • No authorization checking

./repo/includes/api/ApiRemoveClaims.php

  • CSRF
  • No authorization checking

./repo/includes/api/ApiSearchEntities.php

  • Need to filter or whitelist the search regex chars, to prevent DoS
  • No authorization checks

./repo/includes/api/ApiSetClaimValue.php

  • CSRF

./repo/includes/api/ApiSetReference.php

  • CSRF

./repo/includes/ItemDisambiguation.php

  • Please xss escape label on Line 114

./repo/includes/specials/SpecialCreateEntity.php

  • No authorization (should execute call parent?)
  • double escaping of Html::input values

./repo/includes/specials/SpecialEntitiesWithoutLabel.php

  • CSRF for search (minor)

./repo/includes/specials/SpecialEntityData.php

  • Please sanity check the maxage / smaxage values from request

./repo/includes/specials/SpecialItemByTitle.php

  • Please ensure that the redirect url doesn't point back to this page

and create an infinite loop

./repo/includes/specials/SpecialListDatatypes.php

  • Please xss espcape $dataTypeId line 46

./repo/includes/specials/SpecialNewProperty.php

  • No Authorization

./repo/includes/specials/SpecialWikibaseQueryPage.php

  • Please us Html/Xml builders in outputResults() for sanity

./repo/includes/store/sql/EntityPerPageTable.php

  • addEntityContent: Race condition (Read from slave, write to master)

Version: unspecified
Severity: critical

Details

Reference
bz42626

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 1:11 AM
bzimport added a project: MediaWiki-extensions-WikibaseRepository.
bzimport set Reference to bz42626.
jeblad created this task.Dec 2 2012, 4:16 PM
Aklapper added a comment.Dec 3 2012, 10:03 AM

jeblad: I don't understand what is meant by "Can't find the correct bug, using this as a placeholder for now". That there should be a bug report already?
If so, it might be in the "Security" product instead.

Denny added a comment.Dec 5 2012, 4:10 PM

We resolved them internally, without a bug.

Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:02 PM
Restricted Application added a project: Wikidata. · View Herald TranscriptJan 28 2016, 6:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL