[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Escape internal error message

Tue, 14 Nov 2017 15:59:34 -0800 

Reedy has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/391374 )

Change subject: SECURITY: Escape internal error message
......................................................................


SECURITY: Escape internal error message

This message contains the request url, which is semi-user controlled.
Most browsers percent escape < and > so its probably not exploitable
(curl is an exception here), but nonetheless its not good.

Bug: T178451
Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
---
M RELEASE-NOTES-1.27
M includes/exception/MWException.php
2 files changed, 11 insertions(+), 7 deletions(-)



diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index b32e82a..2bcf219 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -18,6 +18,8 @@
 * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager.
 * (T142304) Allow putting the app ID in the password for bot passwords.
 * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36.
+* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and 
browser
+  sends non-standard url escaping.
 
 == MediaWiki 1.27.3 ==
 Due to a packaging error, the wrong version of the SyntaxHighlight extension 
was
diff --git a/includes/exception/MWException.php 
b/includes/exception/MWException.php
index bebd915..dcb38b2 100644
--- a/includes/exception/MWException.php
+++ b/includes/exception/MWException.php
@@ -144,13 +144,15 @@
                        $logId = WebRequest::getRequestId();
                        $type = get_class( $this );
                        return "<div class=\"errorbox\">" .
-                       '[' . $logId . '] ' .
-                       gmdate( 'Y-m-d H:i:s' ) . ": " .
-                       $this->msg( "internalerror-fatal-exception",
-                               "Fatal exception of type $1",
-                               $type,
-                               $logId,
-                               MWExceptionHandler::getURL( $this )
+                       htmlspecialchars(
+                               '[' . $logId . '] ' .
+                               gmdate( 'Y-m-d H:i:s' ) . ": " .
+                               $this->msg( "internalerror-fatal-exception",
+                                       "Fatal exception of type $1",
+                                       $type,
+                                       $logId,
+                                       MWExceptionHandler::getURL( $this )
+                               )
                        ) . "</div>\n" .
                        "<!-- Set \$wgShowExceptionDetails = true; " .
                        "at the bottom of LocalSettings.php to show detailed " .

-- 
To view, visit https://gerrit.wikimedia.org/r/391374
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_27
Gerrit-Owner: Reedy <re...@wikimedia.org>
Gerrit-Reviewer: Brian Wolff <bawolff...@gmail.com>
Gerrit-Reviewer: Reedy <re...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to