Last modified: 2014-10-16 11:52:39 UTC
It looks like the bugzilla extension used to format wikilinks might have an xss since it doesn't escape single quotes. (I noticed this on bug 29406, and then further tested on bug 29095 - bugzilla is a pain for not having a preview feature anywhere). Anyways, i think [[foo'onmouseover='alert(1)]] will do bad stuff (and if it doesn't because i haven't overly tested this since its hard to without preview, I'm sure someone could come up with some other way of abusing the lack of escaping). I think the proper fix would be (in http://svn.wikimedia.org/viewvc/mediawiki/trunk/tools/bugzilla/bugzilla-4.0/extensions/Wikimedia/Extension.pm?revision=88731&view=markup ) Changing line 61 from: my $wikipedia_link = "[[<a href='http://en.wikipedia.org/w/index.php?title=Special:Search&go=Go&search=$tmp'>$tmp</a>]]"; to my $wikipedia_link = "[[<a href=\"http://en.wikipedia.org/w/index.php?title=Special:Search&go=Go&search=$tmp\">$tmp</a>]]"; (Since " should be escaped, hopefully, again this is hard to test without making garbage bugs. [[foo"bar]])
Ok, so I guess since = signs stop the magic [[ links, that's less exploitable. But it still seems rather scary that the ' in [[foo'bar]] is not escaped.
CC'ing Priyanka for bugzilla issues/deployment. Bawolff's suggested fix looks right; per doc at http://template-toolkit.org/docs/manual/Filters.html#section_html the underlying Template::Filters::html_filter() function that Bugzilla's html_quote() calls should escape " to ", whereas it doesn't for '.
(Though really the text should be better validated and also URL-escaped _before_ getting shoved through HTML escaping. But that's longstanding.)
There are tests in bz that scream bloody murder on the filters we have right now. I'll see if I can quiet them tomorrow.
Updating summary, component and priority to indicate that this is a correctness issue and is not an exploitable security issue. Reassigning to Chad.
Resetting to default per bug 37789