Last modified: 2012-04-12 13:56:08 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 28534 - XSS in MediaWiki API (through invalid property name)
XSS in MediaWiki API (through invalid property name)
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.16.x
All All
: Highest normal (vote)
: ---
Assigned To: Tim Starling
http://www.mediawiki.org/w/api%2Ephp?...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-14 09:51 UTC by Masato Kinugawa
Modified: 2012-04-12 13:56 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Masato Kinugawa 2011-04-14 09:51:22 UTC
At least, it still works on IE6 from following URL.

http://www.mediawiki.org/w/api%2Ephp?action=query&meta=siteinfo&format=json&siprop=%3Cbody%20onload=alert(1)%3E.shtml
Comment 1 Tim Starling 2011-04-14 10:04:37 UTC
Please tell me this is the last one.
Comment 2 Mark A. Hershberger 2011-04-26 21:27:28 UTC
This has been fixed in 1.16.4, I think.  Tim, could you close it, if so?
Comment 3 Tim Starling 2011-04-27 13:47:28 UTC
No, it's not fixed.
Comment 4 Tim Starling 2011-04-27 15:15:22 UTC
One possibility is 

/\.[^\\/:\*\?\"<>|]+(#|\?|$)/i

This was suggested by Reedy based on the characters that are not allowed in Windows paths. I'm wondering if it's a good idea to allow the percent symbol:

/\.[^\\/:\*\?\"<>|%]+(#|\?|$)/i

This would make it less likely that innocuous plain text at the end of a query string would be disallowed, in URLs such as:

<http://www.mediawiki.org/w/api.php?action=parse&text=Sentence%20one.%20Sentence%20two>

In theory, file extensions can contain percent symbols, but in practice this doesn't seem to be done.
Comment 5 Roan Kattouw 2011-04-27 15:22:09 UTC
(In reply to comment #4)
> In theory, file extensions can contain percent symbols, but in practice this
> doesn't seem to be done.
Allowing it sounds safe enough. The percent sign being a very obscure character in extensions makes it very unlikely it would be associated with a dangerous MIME type.
Comment 6 p858snake 2011-05-07 09:15:34 UTC
marking fixed 1.16.5 was pushed the other day.
Comment 7 Brion Vibber 2011-06-07 18:13:58 UTC
Fixes are in r85844 and following; there are still serious outstanding bugs in 1.16.x & 1.17 beta releases caused by the fix series.

Latest updates on r89397 and r89558 may help reduce the false positives, but probably needs a quick test survey to confirm that things are ok.
Comment 8 Mark A. Hershberger 2011-06-15 19:47:28 UTC
It looks like Tim has been doing most of the work on this to fix the problem, updating the assignee to reflect that.  Looks like the this is actually fixed, too, since the fixes mentioned Comment #7 have been merged.

I'm sure you know how to reopen this if I'm wrong ;)

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links