[Bug 57550] SVG XSLT XSS
https://bugzilla.wikimedia.org/show_bug.cgi?id=57550 David Gerard dger...@gmail.com changed: What|Removed |Added CC||dger...@gmail.com --- Comment #8 from David Gerard dger...@gmail.com --- In my role as sysadmin at RationalWiki.org, I just upgraded it to 1.19.10 - or thought I had - and Chris Davis' 'sploit link still runs the demo 'sploit for me: http://rationalwiki.org/w/images/0/03/Silly_mediawiki.svg Looking at includes/XmlTypeCheck.php and includes/upload/UploadBase.php in the RW installation, the patches in attachment 13916 appear to be present. Should the demo 'sploit still work? -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 57550] SVG XSLT XSS
https://bugzilla.wikimedia.org/show_bug.cgi?id=57550 Mark A. Hershberger m...@everybody.org changed: What|Removed |Added CC||m...@everybody.org --- Comment #9 from Mark A. Hershberger m...@everybody.org --- (In reply to comment #8) Should the demo 'sploit still work? From what I understand: the already-uploaded demo will continue to work, but you shouldn't be able to upload it any more. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 57550] SVG XSLT XSS
https://bugzilla.wikimedia.org/show_bug.cgi?id=57550 --- Comment #10 from David Gerard dger...@gmail.com --- Yeah, that'll do. Thank you :-) I just tested and get This file contains HTML or script code that may be erroneously interpreted by a web browser. which is precisely right. The original demo 'sploit SVG is still present in the file tree, so the link will work for an unspecified future length of time (probably until next major upgrade). -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 57550] SVG XSLT XSS
https://bugzilla.wikimedia.org/show_bug.cgi?id=57550 --- Comment #11 from Chris Steipp cste...@wikimedia.org --- (In reply to comment #8) In my role as sysadmin at RationalWiki.org, I just upgraded it to 1.19.10 - or thought I had - and Chris Davis' 'sploit link still runs the demo 'sploit for me: http://rationalwiki.org/w/images/0/03/Silly_mediawiki.svg Looking at includes/XmlTypeCheck.php and includes/upload/UploadBase.php in the RW installation, the patches in attachment 13916 [details] appear to be present. Should the demo 'sploit still work? Yes, the patch prevents the upload, but existing files will still be there. Grepping for ?xml-stylesheet in your images would identify any that have previously come in. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 57550] SVG XSLT XSS
https://bugzilla.wikimedia.org/show_bug.cgi?id=57550 Chris Steipp cste...@wikimedia.org changed: What|Removed |Added Status|PATCH_TO_REVIEW |RESOLVED Group|security| CC||aarcos.w...@gmail.com, ||bawolff...@gmail.com, ||bryan.tongm...@gmail.com, ||fflo...@wikimedia.org, ||gti...@wikimedia.org, ||mtrac...@member.fsf.org Component|Core|Uploading Resolution|--- |FIXED Assignee|cste...@wikimedia.org |wikibugs-l@lists.wikimedia. ||org Product|Security|MediaWiki -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l