Page MenuHomePhabricator

i18n-xss vectors on Special:SecurePoll
Closed, ResolvedPublicSecurity

Description

Steps to reproduce

  1. Add $wgUseXssLanguage = true; to your LocalSettings.php (a new feature from T340201)
  2. Install the SecurePoll extension
  3. Load http://localhost:8080/wiki/Special:SecurePoll?uselang=x-xss

On this page there are several alerts that appear with the text being from the following:

  • march (suggesting a unescaped ::userDate call)
  • pipe-separator
  • securepoll-subpage-archive

Event Timeline

This seems similar to T347708 in that its also related to Phan taint check not being able to check the Pager class hierarchy very well.

Uploaded a (public) patch as only the message processing is affected (and not arguments to messages, which could be user-controlled) and that always treated as low risk

This seems similar to T347708 in that its also related to Phan taint check not being able to check the Pager class hierarchy very well.

There is T347787 to track that further.

Uploaded a (public) patch as only the message processing is affected (and not arguments to messages, which could be user-controlled) and that always treated as low risk

Change set: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SecurePoll/+/974684

Happy to +2 that if nobody else does, but like @Daimona, I'm not a maintainer of the repo.

Change 974684 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@master] Fix non-escaped messages returned by TablePager::formatValue

https://gerrit.wikimedia.org/r/974684

Change 975043 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/extensions/SecurePoll@REL1_41] Fix non-escaped messages returned by TablePager::formatValue

https://gerrit.wikimedia.org/r/975043

Change 975044 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/extensions/SecurePoll@REL1_40] Fix non-escaped messages returned by TablePager::formatValue

https://gerrit.wikimedia.org/r/975044

Change 975045 had a related patch set uploaded (by Umherirrender; author: Umherirrender):

[mediawiki/extensions/SecurePoll@REL1_39] Fix non-escaped messages returned by TablePager::formatValue

https://gerrit.wikimedia.org/r/975045

Change 975045 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_39] Fix non-escaped messages returned by TablePager::formatValue

https://gerrit.wikimedia.org/r/975045

Change 975044 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_40] Fix non-escaped messages returned by TablePager::formatValue

https://gerrit.wikimedia.org/r/975044

Change 975043 merged by jenkins-bot:

[mediawiki/extensions/SecurePoll@REL1_41] Fix non-escaped messages returned by TablePager::formatValue

https://gerrit.wikimedia.org/r/975043

I think this task be made public and closed now? I can't seem to get any alerts to appear by following the steps to re-produce.

sbassett triaged this task as Low priority.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.