[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_23]: SECURITY: XSS in unclosed internal links

Mon, 22 Aug 2016 20:00:54 -0700 

jenkins-bot has submitted this change and it was merged.

Change subject: SECURITY: XSS in unclosed internal links
......................................................................


SECURITY: XSS in unclosed internal links

rawurldecode was being run on unclosed internal links
which could allow an attacker to insert arbitrary
html into the page.

See also related: r13302

Bug: T137264
Change-Id: I4e112a9e918df9fe78b62c311939239b483a21f5
---
M includes/parser/Parser.php
M tests/parser/parserTests.txt
2 files changed, 10 insertions(+), 1 deletion(-)

Approvals:
  Chad: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 542483b..f6cd888 100644
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -1963,7 +1963,7 @@
                                $might_be_img = true;
                                $text = $m[2];
                                if ( strpos( $m[1], '%' ) !== false ) {
-                                       $m[1] = rawurldecode( $m[1] );
+                                       $m[1] = str_replace( array( '<', '>' ), 
array( '&lt;', '&gt;' ), rawurldecode( $m[1] ) );
                                }
                                $trail = "";
                        } else { # Invalid form; output directly
diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index d45af0a..8d6c907 100644
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -20053,6 +20053,15 @@
 # of new content
 # -----------------------------------------------------------------
 
+!! test
+unclosed internal link XSS (T137264)
+!! wikitext
+[[#%3Cscript%3Ealert(1)%3C/script%3E|
+!! html
+<p>[[#&lt;script&gt;alert(1)&lt;/script&gt;|
+</p>
+!! end
+
 TODO:
 more images
 more tables

-- 
To view, visit https://gerrit.wikimedia.org/r/306120
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I4e112a9e918df9fe78b62c311939239b483a21f5
Gerrit-PatchSet: 3
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_23
Gerrit-Owner: Chad <[email protected]>
Gerrit-Reviewer: Brian Wolff <[email protected]>
Gerrit-Reviewer: Chad <[email protected]>
Gerrit-Reviewer: Cscott <[email protected]>
Gerrit-Reviewer: Jackmcbarn <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to