Escape regular expressions in Quiz
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Assigned To

Authored By

	• demon
	Apr 23 2015, 8:57 PM

Description

The following is spotted in production:

1 Unknown modifier 'k': [`^Ma`i ko`u hoaaloha \(i\)$`i] in /srv/mediawiki/php-1.26wmf2/extensions/Quiz/Quiz.class.php on line 765

Line 765 is a preg_match() call, one of over 20 regular expression uses this extension. I don't see any calls to preg_quote() anywhere so I imagine user input is ending up unescaped into regular expression functions. As in the above example this allows users to craft input that allows for changing modifiers of the regular expression (/e anyone?).

The extension should be audited to fix this and any other (likely) unescaped regular expression issues.

Related Objects
Search...

		Status	Subtype	Assigned	Task
					Restricted Task
		Resolved	PRODUCTION ERROR	• dpatrick	T97083 Escape regular expressions in Quiz

Event Timeline

• demon created this task.Apr 23 2015, 8:57 PM

• demon raised the priority of this task from to Needs Triage.

• demon updated the task description. (Show Details)

• demon added projects: MediaWiki-extensions-Quiz, Wikimedia-production-error, Security-Extensions, deprecated-security-team-reviews, acl*security.

• demon changed the visibility from "Public (No Login Required)" to "Custom Policy".

• demon changed the edit policy from "All Users" to "Custom Policy".

• demon changed Security from None to Software security bug.

• demon subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 23 2015, 8:57 PM

• demon updated the task description. (Show Details)Apr 23 2015, 8:58 PM

• demon updated the task description. (Show Details)

I don't think this will lead to code execution, since Quiz only does those for preg_match and not preg_replace. But definitely a DoS vector (https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).

Should be safe to just preg_quote the user input.

Public bug is T89104 and patch: https://gerrit.wikimedia.org/r/#/c/209153/

Legoktm merged a task: Restricted Task.May 6 2015, 1:20 AM

Legoktm added subscribers: gerritbot, hashar.

Legoktm added a subscriber: hoo.

hashar unsubscribed.May 6 2015, 9:15 AM

• csteipp removed a project: deprecated-security-team-reviews.May 21 2015, 10:06 PM

• dpatrick renamed this task from Quiz needs security review for proper regular expression escaping to Escape regular expressions in Quiz.May 21 2015, 10:07 PM

• dpatrick claimed this task.

• dpatrick triaged this task as Medium priority.

• dpatrick closed this task as Resolved.May 21 2015, 10:11 PM

• dpatrick added a parent task: Restricted Task.

I'm not sure if this blocks 1.24.3?

@demon We added that blocker just to indicate that this fix should be included in the 1.24.3 release.

Since it's WMF deployed, I'm assuming we would mention it in the next release before making this bug public. Just so 3rd parties aren't caught unaware. But I'm happy to go with whatever releng wants to do.

• demon moved this task from Untriaged to Resolved on the Wikimedia-production-error board.Jun 12 2015, 6:34 PM

• demon mentioned this in T100211: Reset of transcode does not queue new transcode.Jul 14 2015, 1:05 AM

• csteipp added subscribers: Grunny, ProgramCeltic.Aug 7 2015, 6:33 PM

• csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 10:00 PM

• csteipp changed the edit policy from "Custom Policy" to "All Users".

• csteipp changed Security from Software security bug to None.

Ricordisamoa subscribed.Aug 10 2015, 11:44 PM

• csteipp added a project: Vuln-DoS.Aug 20 2015, 9:31 PM

CVE-2015-6736 was assigned for this.

• mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:12 PM

• chasemp added a project: Security.Feb 10 2020, 10:59 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM