| Grunny |
| Mar 20 2021, 3:59 PM |
| F34176637: T278014.patch |
| Mar 21 2021, 5:35 PM |
| F34175119: NewFilesXSS.png |
| Mar 20 2021, 3:59 PM |
Description
On Special:NewFiles, all the messages are output in HTML unescaped.
Steps to reproduce:
- Edit one of the messages (e.g. edit ) and add a simple XSS string like
- Visit Special:NewFiles and see the JavaScript executed
This happens because the form options is using the output format with , which is not escaped, rather than .
It's relatively low risk given it's admin-only, but filing as a private issue similar to T256171 and T255918.
Details
- Author Affiliation
- Wikimedia Communities
Related Objects
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Reedy | T270458 Release MediaWiki 1.31.13/1.35.2 | |||
| Resolved | Reedy | T270459 Tracking bug for MediaWiki 1.31.13/1.35.2 | |||
| Resolved | None | T2212 Some MediaWiki: messages not safe in HTML (tracking) | |||
| Resolved | Security | Grunny | T278014 CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles |
- Mentioned In
- T270459: Tracking bug for MediaWiki 1.31.13/1.35.2
T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist) - Mentioned Here
- rMW2647cbc4a456: Add media type based filtering to Special:NewFiles
T255918: Unescaped message used in HTML on Special:Contributions (CVE-2020-25812)
T256171: Unescaped message used in HTML within LogEventsList (CVE-2020-25815)
Event Timeline
Proposed patch:
From 65b0d900790a2fc8b96007425ac9aa850e9fd6dd Mon Sep 17 00:00:00 2001 From: grunny <mwgrunny@gmail.com> Date: Sat, 20 Mar 2021 04:46:44 +1000 Subject: [PATCH] Escape mediastatistics-header-* messages on Special:NewFiles The mediastatistics-header-* messages used on Special:NewFiles currently allow raw HTML as raw options labels are output as raw HTML in forms. We could change these to use options-messages with the message keys, but it looks like this was done so the list could be alphabetised based on the labels and this wouldn't be in alphabetical order if we sorted on the message keys. Change-Id: I5f59ccf4c167756255952cfbf31a8d7891463e92 --- includes/specials/SpecialNewFiles.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/specials/SpecialNewFiles.php b/includes/specials/SpecialNewFiles.php index fc589f1..92798e0 100644 --- a/includes/specials/SpecialNewFiles.php +++ b/includes/specials/SpecialNewFiles.php @@ -155,7 +155,7 @@ class SpecialNewFiles extends IncludableSpecialPage { // mediastatistics-header-office, mediastatistics-header-text, // mediastatistics-header-executable, mediastatistics-header-archive, // mediastatistics-header-3d, - return $this->msg( 'mediastatistics-header-' . strtolower( $type ) )->text(); + return $this->msg( 'mediastatistics-header-' . strtolower( $type ) )->escaped(); }, $this->mediaTypes ); $mediaTypesOptions = array_combine( $mediaTypesText, $this->mediaTypes ); ksort( $mediaTypesOptions ); -- 2.7.4
As the commit message says, we could use options-messages, but it seems this was intended to allow the output list to be alphabetical, which this approach maintains.
Thanks Grunny.
Seems this might have been the case since rMW2647cbc4a456: Add media type based filtering to Special:NewFiles
Thanks again for the report and patch. Making this public and pushing through gerrit as low-risk.
Change 674083 had a related patch set uploaded (by SBassett; owner: Grunny):
[mediawiki/core@master] Escape mediastatistics-header-* messages on Special:NewFiles
Change 674083 merged by jenkins-bot:
[mediawiki/core@master] Escape mediastatistics-header-* messages on Special:NewFiles
Change 674107 had a related patch set uploaded (by SBassett; owner: Grunny):
[mediawiki/core@REL1_35] Escape mediastatistics-header-* messages on Special:NewFiles
Thanks, @sbassett ! Just for my reference on if I find any more of these in core or WMF deployed extensions, is it OK to push straight to Gerrit, and I assume we'd still want a ticket created for reference?
Change 674107 merged by jenkins-bot:
[mediawiki/core@REL1_35] Escape mediastatistics-header-* messages on Special:NewFiles
In T278014#6935629, @Grunny wrote:Thanks, @sbassett ! Just for my reference on if I find any more of these in core or WMF deployed extensions, is it OK to push straight to Gerrit, and I assume we'd still want a ticket created for reference?
I would say likely, yes. However it's probably a good idea to continue filing these as private bugs so the Security-Team can review them (our weekly clinic meeting is Monday morning) just to verify they are indeed low-risk and to also time them well for the weekly train deployment, in getting pushed to gerrit.
In T278014#6935675, @sbassett wrote:In T278014#6935629, @Grunny wrote:Thanks, @sbassett ! Just for my reference on if I find any more of these in core or WMF deployed extensions, is it OK to push straight to Gerrit, and I assume we'd still want a ticket created for reference?
I would say likely, yes. However it's probably a good idea to continue filing these as private bugs so the Security-Team can review them (our weekly clinic meeting is Monday morning) just to verify they are indeed low-risk and to also time them well for the weekly train deployment, in getting pushed to gerrit.
Sounds good, thanks!
Change 676795 had a related patch set uploaded (by Reedy; author: Grunny):
[mediawiki/core@REL1_31] Escape mediastatistics-header-* messages on Special:NewFiles
Change 676795 merged by jenkins-bot:
[mediawiki/core@REL1_31] Escape mediastatistics-header-* messages on Special:NewFiles