[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Escape internal error message
Reedy has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/391374 ) Change subject: SECURITY: Escape internal error message .. SECURITY: Escape internal error message This message contains the request url, which is semi-user controlled. Most browsers percent escape < and > so its probably not exploitable (curl is an exception here), but nonetheless its not good. Bug: T178451 Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6 --- M RELEASE-NOTES-1.27 M includes/exception/MWException.php 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index b32e82a..2bcf219 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -18,6 +18,8 @@ * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. * (T142304) Allow putting the app ID in the password for bot passwords. * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php index bebd915..dcb38b2 100644 --- a/includes/exception/MWException.php +++ b/includes/exception/MWException.php @@ -144,13 +144,15 @@ $logId = WebRequest::getRequestId(); $type = get_class( $this ); return "" . - '[' . $logId . '] ' . - gmdate( 'Y-m-d H:i:s' ) . ": " . - $this->msg( "internalerror-fatal-exception", - "Fatal exception of type $1", - $type, - $logId, - MWExceptionHandler::getURL( $this ) + htmlspecialchars( + '[' . $logId . '] ' . + gmdate( 'Y-m-d H:i:s' ) . ": " . + $this->msg( "internalerror-fatal-exception", + "Fatal exception of type $1", + $type, + $logId, + MWExceptionHandler::getURL( $this ) + ) ) . "\n" .
[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Escape internal error message
Reedy has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/391374 ) Change subject: SECURITY: Escape internal error message .. SECURITY: Escape internal error message This message contains the request url, which is semi-user controlled. Most browsers percent escape < and > so its probably not exploitable (curl is an exception here), but nonetheless its not good. Bug: T178451 Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6 --- M RELEASE-NOTES-1.27 M includes/exception/MWException.php 2 files changed, 11 insertions(+), 7 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/74/391374/1 diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index b32e82a..2bcf219 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -18,6 +18,8 @@ * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. * (T142304) Allow putting the app ID in the password for bot passwords. * Updated dev dependancy phpunit/phpunit from v4.8.24 to v4.8.36. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php index bebd915..dcb38b2 100644 --- a/includes/exception/MWException.php +++ b/includes/exception/MWException.php @@ -144,13 +144,15 @@ $logId = WebRequest::getRequestId(); $type = get_class( $this ); return "" . - '[' . $logId . '] ' . - gmdate( 'Y-m-d H:i:s' ) . ": " . - $this->msg( "internalerror-fatal-exception", - "Fatal exception of type $1", - $type, - $logId, - MWExceptionHandler::getURL( $this ) + htmlspecialchars( + '[' . $logId . '] ' . + gmdate( 'Y-m-d H:i:s' ) . ": " . + $this->msg( "internalerror-fatal-exception", + "Fatal exception of type $1", + $type, + $logId, + MWExceptionHandler::getURL( $this ) + ) ) . "\n" .
