Page MenuHomePhabricator
Create Task
Maniphest T76686

thumb.php outputs wikitext message as raw html
Closed, ResolvedPublic
Actions

Assigned To
None
Authored By
Krinkle
Dec 4 2014, 3:08 AM
Tags
Referenced Files
F21282: bugT76686-REL1_23.patch
Dec 15 2014, 2:40 PM
F21285: bugT76686-REL1_22.patch
Dec 15 2014, 2:40 PM
F21284: bugT76686-REL1_21.patch
Dec 15 2014, 2:40 PM
F21283: bugT76686-REL1_19.patch
Dec 15 2014, 2:40 PM
F18583: 0001-thumb.php-Set-proper-output-formats-for-messages-goi.patch
Dec 4 2014, 10:09 PM
F18347: Screen_Shot_2014-12-04_at_03.04.23.png
Dec 4 2014, 3:08 AM
Subscribers
aaron
Catrope
csteipp
Grunny
jeblad
Krenair
Krinkle
View All 10 Subscribers

Description

https://en.wikipedia.org/w/thumb.php outputs a fairly long interface message (customised by enwiki admins) that looks like it is intended for Special:BadTitle. It outputs this, already confusing message, as raw html instead of text or wikitext.

Right now this is causing the browser to parse <code> and <nowiki>. It could trivially include <script> as well.

Screen_Shot_2014-12-04_at_03.04.23.png (1×1 px, 570 KB)

Details

SubjectRepoBranchLines +/-
thumb.php: Set proper output formats for messages going into HTMLmediawiki/coreREL1_19+4 -4
thumb.php: Set proper output formats for messages going into HTMLmediawiki/coreREL1_22+5 -5
thumb.php: Set proper output formats for messages going into HTMLmediawiki/coreREL1_23+6 -6
thumb.php: Set proper output formats for messages going into HTMLmediawiki/coreREL1_24+6 -6
thumb.php: Set proper output formats for messages going into HTMLmediawiki/coremaster+6 -6
Customize query in gerrit

Related Objects

Event Timeline

Krinkle created this task.Dec 4 2014, 3:08 AM
Krinkle raised the priority of this task from to Needs Triage.
Krinkle updated the task description. (Show Details)
Krinkle added a project: acl*security.
Krinkle changed the visibility from "Public (No Login Required)" to "acl*security (Project)".
Krinkle changed the edit policy from "All Users" to "acl*security (Project)".
Krinkle changed Security from none to Software security bug.
Krinkle subscribed.
Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptDec 4 2014, 3:08 AM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
Krinkle renamed this task from thumb.php outputs raw wikitext as html to thumb.php outputs wikitext message as raw html.Dec 4 2014, 3:11 AM
Krinkle edited subscribers, added: Catrope, csteipp; removed: Aklapper.
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 3:11 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Reedy added a subscriber: aaron.Dec 4 2014, 2:40 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 2:40 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp triaged this task as Medium priority.Dec 4 2014, 9:59 PM

Similar to the general issue of T2212. Since only admins can edit the message, it's not horrible, but something we should fix.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 9:59 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Legoktm subscribed.Dec 4 2014, 10:09 PM

0001-thumb.php-Set-proper-output-formats-for-messages-goi.patch2 KBDownload

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 10:09 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a comment.Dec 4 2014, 11:27 PM
In T76686#819824, @Legoktm wrote:

0001-thumb.php-Set-proper-output-formats-for-messages-goi.patch2 KBDownload

Thanks @Legoktm, looks good to me. I'll get this deployed.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 4 2014, 11:27 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp added a subscriber: Mglaser.Dec 8 2014, 7:22 PM

Deployed to the cluster.

@Mglaser, this should get added to the next release.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 8 2014, 7:22 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser added a comment.Dec 15 2014, 2:40 PM

Proposed backports. All tested: I added

<script>alert("bad");<script>

to MediaWiki:Badtitletext and called thumb.php without any parameter. Without the patch, the alert showed up. After the patch was applied, the script was rendered as text instead.

bugT76686-REL1_23.patch2 KBDownload

bugT76686-REL1_19.patch1 KBDownload

bugT76686-REL1_21.patch1 KBDownload

bugT76686-REL1_22.patch2 KBDownload

The original patch applies nicely to REL1_24.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 15 2014, 2:40 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser added subscribers: Grunny, ProgramCeltic.Dec 17 2014, 10:12 AM

Early access for Wikia and Gamepedia

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 10:12 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMW31da1c0f90fd: thumb.php: Set proper output formats for messages going into HTML.Dec 17 2014, 6:25 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:25 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMWa8c2cda23145: thumb.php: Set proper output formats for messages going into HTML.Dec 17 2014, 6:25 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:25 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMWd30c8e14b4d9: thumb.php: Set proper output formats for messages going into HTML.Dec 17 2014, 6:26 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:26 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMW0e22a797bec5: thumb.php: Set proper output formats for messages going into HTML.Dec 17 2014, 6:26 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 6:26 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Mglaser mentioned this in rMWfdd3f464ef9a: thumb.php: Set proper output formats for messages going into HTML.Dec 17 2014, 7:24 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 7:24 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 19 2014, 12:35 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Krenair subscribed.Jan 21 2015, 2:43 PM

Can this be made public now that it was released? https://lists.wikimedia.org/pipermail/mediawiki-announce/2014-December/000173.html

csteipp closed this task as Resolved.Jan 23 2015, 6:37 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.
chasemp added a project: Security.Feb 10 2020, 10:59 PM
Restricted Application added a subscriber: jeblad. · View Herald TranscriptFeb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL