Page MenuHomePhabricator
Create Task
Maniphest T88171

Overall security review of Popups/Hovercards extension
Closed, ResolvedPublic
Actions

Description

Overall security of the extension before we make it the default behavior on Chinese, Greek and Catalan wikipedia.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add missing HTML escaping to all existing page preview typesmediawiki/extensions/Popupsmaster+76 -13
settings: Use .text() instead of .html() for option's labelmediawiki/extensions/Popupsmaster+1 -1
renderer.article: Ignore thumnail if the URL has suspicious charactersmediawiki/extensions/Popupsmaster+9 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Prtksxna created this task.Jan 30 2015, 11:23 PM
Prtksxna raised the priority of this task from to High.
Prtksxna updated the task description. (Show Details)
Prtksxna added a project: Page-Previews.
Prtksxna added subscribers: Aklapper, Prtksxna.
Se4598 added a project: deprecated-security-team-reviews.Jan 31 2015, 12:32 AM
Se4598 set Security to None.
Aklapper renamed this task from Overall security review to Overall security review of Popups/Hovercards extension.Feb 2 2015, 6:30 PM
Jaredzimmerman-WMF moved this task from Backlog to Next Up on the Page-Previews board.Feb 3 2015, 9:52 PM
Prtksxna added a subscriber: Jaredzimmerman-WMF.Feb 7 2015, 1:31 AM

@Jaredzimmerman-WMF, did you get a chance to schedule this?

Liuxinyu970226 subscribed.Feb 8 2015, 4:30 AM
MZMcBride subscribed.Feb 11 2015, 7:03 AM
Ricordisamoa subscribed.Feb 11 2015, 7:59 AM
Jaredzimmerman-WMF added a subscriber: csteipp.Mar 4 2015, 12:55 AM
csteipp added a comment.Mar 16 2015, 11:32 PM

Just to confirm, this is Extension:Popups (https://gerrit.wikimedia.org/r/p/mediawiki/extensions/Popups.git), right?

Prtksxna added a comment.Mar 16 2015, 11:47 PM
In T88171#1123797, @csteipp wrote:

Just to confirm, this is Extension:Popups (https://gerrit.wikimedia.org/r/p/mediawiki/extensions/Popups.git), right?

Yup!

csteipp added a comment.Mar 23 2015, 8:23 PM

Looks much better this time around!

  • ext.popups.renderer.article.js

In createImgThumbnail, it's unlikely (but not guaranteed) that the thumbnail url will include \, ), or " characters, which would allow someone to inject css, which could inject javascript. Either bail out if you find those, or urlenode them.

  • ext.popups.settings.js

In renderOption, you're passing content[1] into .html without validating it. Do you need to generate html there? If not, use .text. If you do need html, document that the parameter is html, and make sure that you're escaping any inputs-- e.g., in settings.render you should pass mw.message( ... ).escaped() instead of .text().

gerritbot subscribed.Mar 24 2015, 8:07 AM

Change 199210 had a related patch set uploaded (by Prtksxna):
settings: Use .text() instead of .html() for option's label

https://gerrit.wikimedia.org/r/199210

gerritbot added a project: Patch-For-Review.Mar 24 2015, 8:07 AM

Change 199211 had a related patch set uploaded (by Prtksxna):
renderer.article: Ignore thumnail if the URL has suspicious characters

https://gerrit.wikimedia.org/r/199211

Prtksxna added a comment.Mar 24 2015, 8:12 AM
In T88171#1142736, @csteipp wrote:

Looks much better this time around!

Thanks for reviewing @csteipp!

In createImgThumbnail, it's unlikely (but not guaranteed) that the thumbnail url will include \, ), or " characters, which would allow someone to inject css, which could inject javascript. Either bail out if you find those, or urlenode them.

https://gerrit.wikimedia.org/r/199211

I now check the thumbnail.source at article.createThumbnail and return a <span> if those characters are found. Neither article.createSvgImageThumbnail nor article.createImgThumbnail is called with such a URL now. Would you rather have me returning the <span> from the respective functions instead?

In renderOption, you're passing content[1] into .html without validating it. Do you need to generate html there? If not, use .text. If you do need html, document that the parameter is html, and make sure that you're escaping any inputs-- e.g., in settings.render you should pass mw.message( ... ).escaped() instead of .text().

https://gerrit.wikimedia.org/r/199210
Done!

gerritbot added a comment.Mar 26 2015, 10:33 AM

Change 199211 merged by jenkins-bot:
renderer.article: Ignore thumnail if the URL has suspicious characters

https://gerrit.wikimedia.org/r/199211

Diffusion mentioned this in rMEXT429b9b7c61ea: Updated mediawiki/extensions Project: mediawiki/extensions/Popups….Mar 26 2015, 10:34 AM
gerritbot added a comment.Mar 26 2015, 10:34 AM

Change 199210 merged by jenkins-bot:
settings: Use .text() instead of .html() for option's label

https://gerrit.wikimedia.org/r/199210

Diffusion mentioned this in rMEXT254dda2d0aaf: Updated mediawiki/extensions Project: mediawiki/extensions/Popups….Mar 26 2015, 10:35 AM
Prtksxna mentioned this in rEPOP42d0347582b1: renderer.article: Ignore thumnail if the URL has suspicious characters.Mar 26 2015, 10:35 AM
Prtksxna mentioned this in rEPOP3b82fb60d965: settings: Use .text() instead of .html() for option's label.
Prtksxna added a comment.Mar 26 2015, 10:44 AM

I have recently submitted a patch for T93720: In Hovercards, HTML is sometimes showing, e.g. apostrophes are shown as &#039;, which needs your review — https://gerrit.wikimedia.org/r/#/c/199840/

Prtksxna moved this task from Next Up to For Review on the Page-Previews board.Mar 27 2015, 12:31 AM
Prtksxna added a comment.Apr 1 2015, 4:29 AM

@csteipp, can we close this issue now?

csteipp closed this task as Resolved.Apr 1 2015, 8:50 PM
csteipp claimed this task.
Liuxinyu970226 unsubscribed.Apr 2 2015, 1:10 AM
Quiddity moved this task from For Review to Done on the Page-Previews board.Jun 21 2015, 10:49 PM
gerritbot added a comment.Jan 28 2019, 9:14 AM

Change 486844 had a related patch set uploaded (by Thiemo Kreuz (WMDE); owner: Thiemo Kreuz (WMDE)):
[mediawiki/extensions/Popups@master] Add missing HTML escaping to all existing page preview types

https://gerrit.wikimedia.org/r/486844

gerritbot added a comment.Jan 30 2019, 5:38 PM

Change 486844 merged by jenkins-bot:
[mediawiki/extensions/Popups@master] Add missing HTML escaping to all existing page preview types

https://gerrit.wikimedia.org/r/486844

sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:40 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits