Page MenuHomePhabricator
Create Task
Maniphest T86643

WikiEditor interprets names of predefined Object prototype methods as valid language names
Closed, ResolvedPublic
Actions

Description

https://test.wikipedia.org/w/index.php?title=Sandbox&action=edit&debug=true&uselang=constructor

generates

TypeError: src.substr is not a function

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Use "obj.hasOwnProperty( prop )" instead of "prop in obj"mediawiki/extensions/WikiEditormaster+6 -3
Customize query in gerrit

Related Objects

Event Timeline

Fomafix created this task.Jan 13 2015, 12:33 PM
Fomafix claimed this task.
Fomafix raised the priority of this task from to Medium.
Fomafix updated the task description. (Show Details)
Fomafix added a project: WikiEditor (2010).
Fomafix changed Security from None to Software security bug.
Fomafix subscribed.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 13 2015, 12:33 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
Krenair added subscribers: Krenair, Krinkle.Jan 23 2015, 12:06 AM

I'm not sure how this could be exploited... But @Krinkle, should we have an Object.prototype.hasOwnProperty.call( object, ... ) check in autoLang?

Fomafix added a comment.Jan 25 2015, 4:24 PM

Both https://gerrit.wikimedia.org/r/186006 and https://gerrit.wikimedia.org/r/184619 fixes this bug in WikiEditor. @gerritbot has possible no rights to post here.

I didn't find a possibility to exploit this bug.

Legoktm added a project: Patch-For-Review.Jan 25 2015, 5:11 PM
Legoktm subscribed.
matmarex removed a project: Patch-For-Review.Feb 5 2015, 12:34 PM
matmarex changed Security from Software security bug to None.
matmarex changed the visibility from "Custom Policy" to "Public (No Login Required)".
matmarex changed the edit policy from "Custom Policy" to "All Users".
gerritbot subscribed.Feb 5 2015, 12:37 PM

Change 184619 merged by jenkins-bot:
Use "obj.hasOwnProperty( prop )" instead of "prop in obj"

https://gerrit.wikimedia.org/r/184619

matmarex closed this task as Resolved.Feb 5 2015, 12:39 PM
matmarex subscribed.

Not a security issue, thankfully.

matmarex mentioned this in T88681: "Security" values no longer updates visibility/editability policies when changed on existing bugs?.Feb 5 2015, 12:39 PM
matmarex mentioned this in rEWED78bdeffcc667: Use "obj.hasOwnProperty( prop )" instead of "prop in obj".Feb 5 2015, 1:20 PM
Fomafix mentioned this in rMEXT5fd9b94e34f4: Updated mediawiki/extensions Project: mediawiki/extensions/WikiEditor….Mar 11 2015, 6:25 AM
GOIII moved this task from Backlog to Closed on the WikiEditor (2010) board.Apr 3 2016, 9:53 AM
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptApr 3 2016, 9:53 AM
Fomafix removed a project: acl*security.Apr 3 2016, 10:54 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits