Page MenuHomePhabricator

Escape regular expressions in Quiz
Closed, ResolvedPublic

Description

The following is spotted in production:

1 Unknown modifier 'k': [`^Ma`i ko`u hoaaloha \(i\)$`i] in /srv/mediawiki/php-1.26wmf2/extensions/Quiz/Quiz.class.php on line 765

Line 765 is a preg_match() call, one of over 20 regular expression uses this extension. I don't see any calls to preg_quote() anywhere so I imagine user input is ending up unescaped into regular expression functions. As in the above example this allows users to craft input that allows for changing modifiers of the regular expression (/e anyone?).

The extension should be audited to fix this and any other (likely) unescaped regular expression issues.

Event Timeline

demon created this task.Apr 23 2015, 8:57 PM
demon raised the priority of this task from to Needs Triage.
demon updated the task description. (Show Details)
demon changed the visibility from "Public (No Login Required)" to "Custom Policy".
demon changed the edit policy from "All Users" to "Custom Policy".
demon changed Security from None to Software security bug.
demon added a subscriber: demon.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 23 2015, 8:57 PM
demon updated the task description. (Show Details)Apr 23 2015, 8:58 PM
demon updated the task description. (Show Details)

I don't think this will lead to code execution, since Quiz only does those for preg_match and not preg_replace. But definitely a DoS vector (https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).

Should be safe to just preg_quote the user input.

Legoktm merged a task: Restricted Task.May 6 2015, 1:20 AM
Legoktm added subscribers: gerritbot, hashar.
Legoktm added a subscriber: hoo.
hashar removed a subscriber: hashar.May 6 2015, 9:15 AM
dpatrick renamed this task from Quiz needs security review for proper regular expression escaping to Escape regular expressions in Quiz.May 21 2015, 10:07 PM
dpatrick claimed this task.
dpatrick triaged this task as Normal priority.
dpatrick closed this task as Resolved.May 21 2015, 10:11 PM
dpatrick added a parent task: Restricted Task.

I'm not sure if this blocks 1.24.3?

dpatrick added a comment.EditedMay 21 2015, 11:21 PM

@demon We added that blocker just to indicate that this fix should be included in the 1.24.3 release.

Since it's WMF deployed, I'm assuming we would mention it in the next release before making this bug public. Just so 3rd parties aren't caught unaware. But I'm happy to go with whatever releng wants to do.

csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 10:00 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.

CVE-2015-6736 was assigned for this.

mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:12 PM