Page MenuHomePhabricator
Create Task
Maniphest T268917

Messages userrights-expiry-current and userrights-expiry-none can contain raw html (CVE-2020-35475)
Closed, ResolvedPublicSecurity
Actions

Description

While working on T216348 I have found an issue with messages userrights-expiry-current and userrights-expiry-none

Added with https://gerrit.wikimedia.org/r/c/mediawiki/core/+/328377 back in 1.29

						if ( $currentExpiry ) {
							$expiryFormatted = $uiLanguage->userTimeAndDate( $currentExpiry, $uiUser );
							$expiryFormattedD = $uiLanguage->userDate( $currentExpiry, $uiUser );
							$expiryFormattedT = $uiLanguage->userTime( $currentExpiry, $uiUser );
							$expiryHtml = $this->msg( 'userrights-expiry-current' )->params(
								$expiryFormatted, $expiryFormattedD, $expiryFormattedT )->text();
						} else {
							$expiryHtml = $this->msg( 'userrights-expiry-none' )->text();
						}

The code is using Message::text here as many other places in the same function, but all the other places are passing the text through Xml::element or similiar and gets escaped.
The both message here does not gets escaped.

The leak can happen when a user visits Special:UserRights which does not have rights to change all userrights and the table on the left side has unchangeable groups in it. The right column with the changable groups is not effected and escape correctly.

Details

SubjectRepoBranchLines +/-
Use Xml::element in SpecialUserrights for sanitymediawiki/coreREL1_35+5 -3
Use Xml::element in SpecialUserrights for sanitymediawiki/coreREL1_31+5 -3
Use Xml::element in SpecialUserrights for sanitymediawiki/coremaster+5 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Umherirrender created this task.Nov 28 2020, 2:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 28 2020, 2:18 PM
DannyS712 subscribed.Nov 28 2020, 3:31 PM
Reedy added a project: MediaWiki-User-management.Nov 28 2020, 6:48 PM
Reedy updated the task description. (Show Details)
Reedy triaged this task as High priority.Nov 30 2020, 4:24 PM
Reedy moved this task from Incoming to Watching on the Security-Team board.
sbassett subscribed.EditedNov 30 2020, 4:55 PM

Similar to T268894, this should be low-risk enough where it can be fixed publicly in gerrit with a benign commit message.

Umherirrender claimed this task.Dec 7 2020, 4:47 PM

Fixed with https://gerrit.wikimedia.org/r/c/mediawiki/core/+/646678

Could be public from my point of view

sbassett added a comment.EditedDec 7 2020, 4:50 PM
In T268917#6673715, @Umherirrender wrote:

Could be public from my point of view

Let's wait for the train deployments this week and then make this task public. Probably want to backport to 1.31 and 1.35 as well, if the patch applies.

sbassett mentioned this in T268894: Message recentchanges-legend-watchlistexpiry can contain raw html (CVE-2020-35474).Dec 7 2020, 4:58 PM
sbassett mentioned this in T268341: Possible XSS in SpecialGlobalUsage (CVE-2020-35622).Dec 7 2020, 5:04 PM
sbassett added a parent task: T263803: Tracking bug for MediaWiki 1.31.11/1.35.1.Dec 7 2020, 5:07 PM
Jdforrester-WMF added a project: MW-1.36-notes (1.36.0-wmf.21; 2020-12-08).Dec 7 2020, 5:20 PM
Reedy mentioned this in T263803: Tracking bug for MediaWiki 1.31.11/1.35.1.Dec 15 2020, 1:25 PM
Reedy added a subscriber: gerritbot.
gerritbot added a comment.Dec 15 2020, 1:26 PM

Change 649520 had a related patch set uploaded (by Reedy; owner: Umherirrender):
[mediawiki/core@REL1_31] Use Xml::element in SpecialUserrights for sanity

https://gerrit.wikimedia.org/r/649520

gerritbot added a project: Patch-For-Review.Dec 15 2020, 1:26 PM
Reedy closed this task as Resolved.Dec 15 2020, 1:27 PM
Reedy subscribed.

Closing for ease of tracking. Can/will be made public later

gerritbot added a comment.Dec 15 2020, 1:31 PM

Change 649520 merged by jenkins-bot:
[mediawiki/core@REL1_31] Use Xml::element in SpecialUserrights for sanity

https://gerrit.wikimedia.org/r/649520

gerritbot added a comment.Dec 15 2020, 1:35 PM

Change 649519 merged by jenkins-bot:
[mediawiki/core@REL1_35] Use Xml::element in SpecialUserrights for sanity

https://gerrit.wikimedia.org/r/649519

Reedy mentioned this in T263809: Obtain CVEs for 1.31.11/1.35.1 security releases.Dec 15 2020, 2:03 PM
Reedy renamed this task from Messages userrights-expiry-current and userrights-expiry-none can contains raw html to Messages userrights-expiry-current and userrights-expiry-none can contain raw html.Dec 15 2020, 4:11 PM
Reedy removed a project: Patch-For-Review.
Jdforrester-WMF added projects: MW-1.31-release-notes, MW-1.35-notes.Dec 15 2020, 4:34 PM
Reedy renamed this task from Messages userrights-expiry-current and userrights-expiry-none can contain raw html to Messages userrights-expiry-current and userrights-expiry-none can contain raw html (CVE-2020-35475).Dec 16 2020, 12:35 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2020, 12:24 AM
Reedy changed the edit policy from "Custom Policy" to "All Users".
sbassett added a project: Vuln-XSS.Mar 16 2021, 9:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL