On 2016-10-29 5:30 PM, Brian Wolff wrote: > On Saturday, October 29, 2016, Daniel Friesen <[email protected]> > wrote: >> And then there is $image. urlpathinfo doesn't escape quotes, >> backslashes, or </script>. >> > Its hard to find docs on what urlpathinfo actually does (talk about a red > flag for a security mechanism...) but i thought it was basically > rawurlencode, which i think escapes all the relavent characters in this > context as percent encoding. > > -- > Bawolff You're right, urlpathinfo does escape '</script> to %27%3C/script%3E.
I was testing against the DISQUS widget's code which supposedly used urlpathinfo for its $id parameter: http://www.mediawikiwidgets.org/w/index.php?title=Widget:DISQUS&action=edit However it turns out that the actual code in the widget was '<!--{$id|escape:'urlpathinfo '}-->' (there is a space after urlpathinfo but before the quote). So it seems that `|escape:'urlpathinfo'` will safely escape things. But an extra space in the escape type name will make it an invalid escape type and when Widgets encounters an invalid escape type, instead of erroring out and warning you it just ignores the escape entirely and drops a wide open security hole in your widget. (That said DISQUS and nearly every other inline script using widget is still broken even if urlpathinfo worked because just about everyone of them uses something like '<!--{$url|escape:'quotes'}-->' which offers no security because it pretty much only escapes double quotes, leaving BOTH single quotes and </script> free to inject code) ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
