Reedy has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/391374 )
Change subject: SECURITY: Escape internal error message ...................................................................... SECURITY: Escape internal error message This message contains the request url, which is semi-user controlled. Most browsers percent escape < and > so its probably not exploitable (curl is an exception here), but nonetheless its not good. Bug: T178451 Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6 --- M RELEASE-NOTES-1.27 M includes/exception/MWException.php 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index b32e82a..2bcf219 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -18,6 +18,8 @@ * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. * (T142304) Allow putting the app ID in the password for bot passwords. * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php index bebd915..dcb38b2 100644 --- a/includes/exception/MWException.php +++ b/includes/exception/MWException.php @@ -144,13 +144,15 @@ $logId = WebRequest::getRequestId(); $type = get_class( $this ); return "<div class=\"errorbox\">" . - '[' . $logId . '] ' . - gmdate( 'Y-m-d H:i:s' ) . ": " . - $this->msg( "internalerror-fatal-exception", - "Fatal exception of type $1", - $type, - $logId, - MWExceptionHandler::getURL( $this ) + htmlspecialchars( + '[' . $logId . '] ' . + gmdate( 'Y-m-d H:i:s' ) . ": " . + $this->msg( "internalerror-fatal-exception", + "Fatal exception of type $1", + $type, + $logId, + MWExceptionHandler::getURL( $this ) + ) ) . "</div>\n" . "<!-- Set \$wgShowExceptionDetails = true; " . "at the bottom of LocalSettings.php to show detailed " . -- To view, visit https://gerrit.wikimedia.org/r/391374 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_27 Gerrit-Owner: Reedy <re...@wikimedia.org> Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com> Gerrit-Reviewer: Reedy <re...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits