Last modified: 2014-10-16 11:52:39 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T31506, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 29506 - [Regex] Incorrect escaping in Bugzilla wikilinks
[Regex] Incorrect escaping in Bugzilla wikilinks
Status: NEW
Product: Wikimedia
Classification: Unclassified
Bugzilla (Other open bugs)
unspecified
All All
: Lowest normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-20 23:47 UTC by Bawolff (Brian Wolff)
Modified: 2014-10-16 11:52 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Bawolff (Brian Wolff) 2011-06-20 23:47:33 UTC
It looks like the bugzilla extension used to format wikilinks might have an xss since it doesn't escape single quotes.

(I noticed this on bug 29406, and then further tested on bug 29095 - bugzilla is a pain for not having a preview feature anywhere).

Anyways, i think [[foo'onmouseover='alert(1)]] will do bad stuff (and if it doesn't because i haven't overly tested this since its hard to without preview, I'm sure someone could come up with some other way of abusing the lack of escaping).

I think the proper fix would be (in http://svn.wikimedia.org/viewvc/mediawiki/trunk/tools/bugzilla/bugzilla-4.0/extensions/Wikimedia/Extension.pm?revision=88731&view=markup )

Changing line 61 from:

 	 my $wikipedia_link = "[[<a href='http://en.wikipedia.org/w/index.php?title=Special:Search&go=Go&search=$tmp'>$tmp</a>]]"; 

to

 	 my $wikipedia_link = "[[<a href=\"http://en.wikipedia.org/w/index.php?title=Special:Search&go=Go&search=$tmp\">$tmp</a>]]"; 

(Since " should be escaped, hopefully, again this is hard to test without making garbage bugs. [[foo"bar]])
Comment 1 Bawolff (Brian Wolff) 2011-06-20 23:51:16 UTC
Ok, so I guess since = signs stop the magic [[ links, that's less exploitable. But it still seems rather scary that the ' in [[foo'bar]] is not escaped.
Comment 2 Brion Vibber 2011-06-21 00:16:02 UTC
CC'ing Priyanka for bugzilla issues/deployment.

Bawolff's suggested fix looks right; per doc at http://template-toolkit.org/docs/manual/Filters.html#section_html the underlying Template::Filters::html_filter() function that Bugzilla's html_quote() calls should escape " to &quot;, whereas it doesn't for '.
Comment 3 Brion Vibber 2011-06-21 00:16:59 UTC
(Though really the text should be better validated and also URL-escaped _before_ getting shoved through HTML escaping. But that's longstanding.)
Comment 4 Mark A. Hershberger 2011-08-02 02:00:19 UTC
There are tests in bz that scream bloody murder on the filters we have right now.  I'll see if I can quiet them tomorrow.
Comment 5 Tim Starling 2011-10-11 22:23:24 UTC
Updating summary, component and priority to indicate that this is a correctness issue and is not an exploitable security issue. Reassigning to Chad.
Comment 6 Thehelpfulone 2012-06-22 19:18:40 UTC
Resetting to default per bug 37789

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links