Page MenuHomePhabricator

Special pages, actions and views whose messages don't escape text
Open, NormalPublic

Description

Nikerabbit made a partial list of the (main) places, in core and several extensions, containing messages which don't escape text. Each of those messages is a potential security risk.

== Core ==

=== Edit page/view page/protect page ===

/w/i.php?action=edit&title=Support    word-separator

== WikiEditor ==

wikieditor-toolbar-group-format
wikieditor-toolbar-group-insert
wikieditor-toolbar-help-*

== Semantic MediaWiki ==

2016-11 additions:
* smw_result_noresults
* smw_sbv_docu
* smw-ask-format-selection-help

/wiki/Special:Browse    smw_browse_article
/wiki/Special:Browse    smw_browse_go
/wiki/Special:Browse    categories
/wiki/Special:Browse    smw_isspecprop
/wiki/Special:Browse    isredirect

/wiki/Special:ExportRDF    smw_exportrdf_backlinks
/wiki/Special:ExportRDF    smw_exportrdf_docu
/wiki/Special:ExportRDF    smw_exportrdf_lastdate
/wiki/Special:ExportRDF    smw_exportrdf_recursive
/wiki/Special:ExportRDF    smw_exportrdf_submit

/wiki/Special:Properties    smw_isspecprop
/wiki/Special:Properties    smw_propertyhardlyused
/wiki/Special:Properties    smw_propertylackspage
/wiki/Special:Properties    smw_property_template_notype

/wiki/Special:SearchByProperty    smw_sbv_docu
/wiki/Special:SearchByProperty    smw_sbv_property
/wiki/Special:SearchByProperty    smw_sbv_submit
/wiki/Special:SearchByProperty    smw_sbv_value

/wiki/Special:SMWAdmin    smw_smwadmin_announce
/wiki/Special:SMWAdmin    smw_smwadmin_announcebutton
/wiki/Special:SMWAdmin    smw_smwadmin_announcedocu
/wiki/Special:SMWAdmin    smw_smwadmin_datarefresh
/wiki/Special:SMWAdmin    smw_smwadmin_datarefreshbutton
/wiki/Special:SMWAdmin    smw_smwadmin_datarefreshdocu
/wiki/Special:SMWAdmin    smw_smwadmin_db
/wiki/Special:SMWAdmin    smw_smwadmin_dbbutton
/wiki/Special:SMWAdmin    smw_smwadmin_dbdocu
/wiki/Special:SMWAdmin    smw_smwadmin_docu
/wiki/Special:SMWAdmin    smw_smwadmin_installfile
/wiki/Special:SMWAdmin    smw_smwadmin_mediazilla
/wiki/Special:SMWAdmin    smw_smwadmin_permissionswarn
/wiki/Special:SMWAdmin    smw_smwadmin_questions
/wiki/Special:SMWAdmin    smw_smwadmin_smwhomepage
/wiki/Special:SMWAdmin    smw_smwadmin_support
/wiki/Special:SMWAdmin    smw_smwadmin_supportdocu
/wiki/Special:SMWAdmin    smw-sp-admin-settings-button
/wiki/Special:SMWAdmin    smw-sp-admin-settings-title

/wiki/Special:Types/(Page|Text|Geographic_coordinates|Boolean)    smw_typearticlecount
/wiki/Special:Types/(Page|Text|Geographic_coordinates|Boolean)    smw_type_header

/w/i.php?-20in-20Flagged-20Revisions&printable=yes&title=Special:Browse/Summary:Support-2F-26quot;Deprecated-26quot%26-20in-20Flagged-20Revisions    smw_browse_article
/w/i.php?-20in-20Flagged-20Revisions&printable=yes&title=Special:Browse/Summary:Support-2F-26quot;Deprecated-26quot%26-20in-20Flagged-20Revisions    smw_browse_go
/w/i.php?-20in-20Flagged-20Revisions&printable=yes&title=Special:Browse/Summary:Support-2F-26quot;Deprecated-26quot%26-20in-20Flagged-20Revisions    smw_browse_no_incoming
/w/i.php?-20in-20Flagged-20Revisions&printable=yes&title=Special:Browse/Summary:Support-2F-26quot;Deprecated-26quot%26-20in-20Flagged-20Revisions    smw_browse_no_outgoing

== Lqt ==
/w/i.php?title=Thread:Support/About_MediaWiki:Randomincategory-nopages/ar&lqt_method=thread_history    august
/w/i.php?title=Thread:Support/About_MediaWiki:Randomincategory-nopages/ar&lqt_method=thread_history    december
/w/i.php?title=Thread:Support/About_MediaWiki:Randomincategory-nopages/ar&lqt_method=thread_history    september

== MobileFrontend ==

Unescaped message mobile-frontend-diffview-comma
Unescaped message mobile-frontend-editor-unavailable
Unescaped message mobile-frontend-footer-sitename
Unescaped message mobile-frontend-copyright (might be obsolete?)

== Unsorted ==

Double escaped message scribunto-common-nosuchmodule
Unescaped message ajaxlogin-create
Unescaped message articlefeedbackv5-special-count-total
Unescaped message bibmanagercreate
Unescaped message bibmanagerimport
Unescaped message browsesw
Unescaped message categorytree-empty-bullet
Unescaped message colon‐separator
Unescaped message gwtoolset-ensure-well-formed-xml
Unescaped message linkedwiki-specialsparqlquery_endpointsparql
Unescaped message linkedwiki-specialsparqlquery_sendquery
Unescaped message login
Unescaped message massaction-newtask (patch)
Unescaped message massaction-viewtask (patch)
Unescaped message pagedisqus-noscript
Unescaped message pagedisqus-title
Unescaped message pagetriage-welcome
Unescaped message scribunto‐limitreport‐memusage
Unescaped message scribunto‐limitreport‐memusage‐value
Unescaped message scribunto‐limitreport‐timeusage
Unescaped message scribunto‐limitreport‐timeusage‐value
Unescaped message size‐megabytes
Unescaped message tags-create-explanation
Unescaped message timezoneselector-change-setting
Unescaped message wikibase‐limitreport‐entities‐accessed
Unescaped message wikimedia-copyright
Unescaped message yourname
Unescaped message yourpassword

Related Objects

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Change 187479 merged by jenkins-bot:
Escape extra input messages on Special:UserLogin/signup

https://gerrit.wikimedia.org/r/187479

Umherirrender removed a subscriber: Umherirrender.

Change 193562 had a related patch set uploaded (by Umherirrender):
Add release-notes for message escaping

https://gerrit.wikimedia.org/r/193562

Change 193562 merged by jenkins-bot:
Add release-notes for message escaping

https://gerrit.wikimedia.org/r/193562

Change 222252 had a related patch set uploaded (by Nikerabbit):
Escape messages

https://gerrit.wikimedia.org/r/222252

Krinkle renamed this task from Special pages, actions and views whose messages don't escape HTML to Special pages, actions and views whose messages don't escape text.Jul 9 2015, 12:05 PM
Krinkle updated the task description. (Show Details)

@Nikerabbit or @Nemo_bis - thank you for this comprehensive list. I'm confused about one item in the "SMW/SF" section, though - the very first one:

/w/i.php?title=User:Nike&action=formedit summary

The 'summary' message is called in SF's /includes/SF_FormUtils.php, and there the two relevant lines are:

$label = wfMessage( 'summary' )->text();

Html::element( 'label', array( 'for' => 'wpSummary' ), $label ) );

I would think that the element() call does the necessary escaping; is that not true?

Nikerabbit added a comment.EditedJul 10 2015, 11:15 AM

Maybe it is already fixed but nobody updated the bug? Currently on that URL I only see this:
Notice: Unescaped message sf-formedit-donotuseform in /www/dev.translatewiki.net/docroot/w/includes/OutputPage.php on line 2332

And
/wiki/Special:FormEdit/Support/User:Nike sf_formedit_formwarning

Nikerabbit updated the task description. (Show Details)Jul 10 2015, 11:27 AM

Change 224053 had a related patch set uploaded (by Nikerabbit):
Escape twnmp-bannerwho

https://gerrit.wikimedia.org/r/224053

Change 222252 merged by jenkins-bot:
Escape messages

https://gerrit.wikimedia.org/r/222252

Nemo_bis updated the task description. (Show Details)Jul 11 2015, 1:59 PM

Change 224053 merged by jenkins-bot:
Escape twnmp-bannerwho

https://gerrit.wikimedia.org/r/224053

Nikerabbit updated the task description. (Show Details)Jul 22 2015, 8:42 PM

@Nikerabbit - did you forgot to remove "/wiki/Special:Forms sf_forms_docu" from the list? It's the last Semantic Forms message in there; and I'm pretty sure it's now escaped.

Nemo_bis updated the task description. (Show Details)Jul 23 2015, 9:26 AM
Yaron_Koren updated the task description. (Show Details)Jul 23 2015, 1:52 PM

I renamed the "SMW/SF" section to "Semantic MediaWiki".

So, I:

  • checked out https://gerrit.wikimedia.org/r/#/c/203299/ and set $wgDebugMessageEscaping = true; ;
  • enabled a bunch of extensions (P2014) on a web-inaccessible mediawiki-vagrant;
  • assigned all rights to unregistered users with foreach( User::getAllRights() as $right ) { $wgGroupPermissions['*'][$right] = true; };
  • attempted to open all special pages with curl http://localhost:8080/wiki/Special:SpecialPages > /tmp/SpecialPages.html; wget -O /dev/null -i /tmp/SpecialPages.html --force-html --base=http://localhost:8080/

I'll add the messages I get logged.

Restricted Application added a subscriber: Steinsplitter. · View Herald Transcript
Restricted Application added a subscriber: Matanya. · View Herald TranscriptSep 12 2015, 8:18 PM
Nemo_bis updated the task description. (Show Details)Sep 13 2015, 10:53 AM

Thanks very much for the report. Filed as T112469: Fix unsanitized message in PageTriage, and I put a patch up.

Restricted Application added a project: Multimedia. · View Herald TranscriptSep 24 2015, 9:54 PM
Restricted Application added a project: Commons. · View Herald TranscriptDec 4 2015, 12:19 PM
zhuyifei1999 moved this task from Incoming to Backlog on the Commons board.Dec 5 2015, 5:01 AM

Can we add this to GCI? This was the description last year:

<p><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">Escaping HTML is the first rule</a> for improving security against <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">cross-site scripting</a> attacks, which have been the most common cybersecurity threat for years, causing billions dollars of damage. In this task, you will improve the security of MediaWiki by reducing its attack surface!</p>
<p>MediaWiki provides the <a href="https://www.mediawiki.org/wiki/Manual:Html.php">Html class</a> and <a href="https://www.mediawiki.org/wiki/Manual:Messages_API#Output_modes_and_escaping">i18n built-in escaping</a>, but some areas of the code don't use them correctly (or at all). You will help fixing them.</p>
<p>Pick one special page listed <a href="https://phabricator.wikimedia.org/T85864">in the issue tracker</a>; clone the code and check all the usages of the message keys listed next to its name; fix them and submit your patch in gerrit. The header tells the name of the repository; <a href="https://gerrit.wikimedia.org/r/#/q/topic:esc+owner:Nikerabbit,n,z">examples are available</a> of how your patches should look like.</p>

Can we add this to GCI?

I'd guess so, but it would require mentor(s)...

@Nikerabbit, interested in mentoring?

Until January 18th I cannot guarantee fast responds.

Restricted Application added a subscriber: Poyekhali. · View Herald TranscriptJul 24 2016, 10:13 PM
Jdforrester-WMF lowered the priority of this task from Normal to Lowest.Aug 4 2016, 11:33 PM
Jdforrester-WMF added a subscriber: Jdforrester-WMF.

LiquidThreads has been replaced by StructuredDiscussions on all Wikimedia production wikis (except one, which will be done soon). It is no longer under active development or maintenance, so I'm re-classifying all open LQT tasks as "Lowest" priority.

Nemo_bis raised the priority of this task from Lowest to Normal.Aug 5 2016, 7:32 AM
Nemo_bis updated the task description. (Show Details)Nov 26 2016, 11:35 AM
Nikerabbit updated the task description. (Show Details)Nov 29 2016, 2:38 PM

Change 343117 had a related patch set (by Matěj Suchánek) published:
Escape text in Linker::specialLink()

https://gerrit.wikimedia.org/r/343117

Change 343117 merged by jenkins-bot:
[mediawiki/core@master] Escape text in Linker::specialLink()

https://gerrit.wikimedia.org/r/343117