Last modified: 2013-01-23 16:34:01 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T37447, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 35447 - url related parser functions allow someone to mess with strip markers
url related parser functions allow someone to mess with strip markers
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
unspecified
All All
: High normal (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch-need-review
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-24 03:36 UTC by Bawolff (Brian Wolff)
Modified: 2013-01-23 16:34 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
patch to rm markers from arguments to url functions. (2.35 KB, patch)
2012-03-24 03:36 UTC, Bawolff (Brian Wolff) 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Bawolff (Brian Wolff) 2012-03-24 03:36:21 UTC 
Created attachment 10320 [details]
patch to rm markers from arguments to url functions.

[See bug 35315]
Sorry i didn't notice this earlier, before the recent security release.

The url functions get rid of the U+007f (since its a control character). Once that happens, padleft et all can be used to manipulate the strip marker and find Parser::randomString's output.

The example exploit from bug 35315 modified to use the url functions (and assuming presence of wikipedia's crazy string manipulation library) would look like:

<nowiki>','',''); alert("XSS",')</nowiki>


{{#tag:charinsert|{{str_right|{{str_left|{{fullurl:foo|<nowiki/>}}|70}}|42}}00000002-QINU}}

(Of course this no longer works given the patch to charinsert, but it seems bad in general to allow people to manipulate these markers.)


The fix for this is of course just adding the killMarkers to the url function, patch attached.
Comment 1 Tim Starling 2012-11-01 00:27:37 UTC 
Lua allows people to mess with strip markers in a more general way, but my review of the issue in that context concluded that the things that can go wrong are pretty minor. I fixed the infinite loop issue, so that we could allow Lua to modify strip markers. So I'm marking this as not a security issue.
Comment 2 Andre Klapper 2013-01-23 13:38:14 UTC 
(In reply to comment #0)
> Created attachment 10320 [details]
> patch to rm markers from arguments to url functions.

bawolff: If the patch still makes sense it would probably be good to get this into Gerrit.
Comment 3 Bawolff (Brian Wolff) 2013-01-23 16:34:01 UTC 
Tim did something similar in 13b514edaec25ff24c
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links