Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T20236, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 18236 - potentially insecure message in Extension:regexBlock

Summary:	potentially insecure message in Extension:regexBlock

Status: RESOLVED INVALID Product: MediaWiki extensions Classification: Unclassified Component: RegexBlock (Other open bugs) Version: unspecified Hardware: All All Importance: Normal enhancement with 1 vote (vote) Target Milestone: --- Assigned To: Nobody - You can work on this! URL: Whiteboard: Keywords: Depends on: Blocks:   Show dependency tree / graph		Reported: 2009-03-28 21:32 UTC by Purodha Blissenbach Modified: 2009-10-28 19:10 UTC (History) CC List: 3 users (show) bugzilla.wikimedia innocentkiller siebrand See Also: Web browser: --- Mobile Platform: --- Assignee Huggle Beta Tester: ---

Attachments Add an attachment (proposed patch, testcase, etc.)

Description Purodha Blissenbach 2009-03-28 21:32:27 UTC In Extension:regexBlock, there is a message regexblock-unblock-error having a parameter $1 which is an invalid (nonexisting) user name. Likely, it should be enclosed in <nowiki> tag in the message, since it may include arbitary code. Comment 1 Chad H. 2009-03-28 21:36:54 UTC Not sure it's an issue. The message is escaped with htmlspecialchars, which removes any injection threats. Comment 2 Siebrand Mazeland 2009-03-28 21:39:58 UTC Closed invalid per comment 1.