subject:"\[MediaWiki\-commits\] \[Gerrit\] mediawiki\/core\[master\]\: SECURITY\: Escape internal error message"

[MediaWiki-commits] [Gerrit] mediawiki/core[master]: SECURITY: Escape internal error message

2017-11-14 Thread jenkins-bot (Code Review)

jenkins-bot has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/391447 )

Change subject: SECURITY: Escape internal error message
..


SECURITY: Escape internal error message

This message contains the request url, which is semi-user controlled.
Most browsers percent escape < and > so its probably not exploitable
(curl is an exception here), but nonetheless its not good.

Bug: T178451
Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
---
M includes/exception/MWException.php
M includes/exception/MWExceptionRenderer.php
2 files changed, 18 insertions(+), 15 deletions(-)

Approvals:
  Reedy: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/includes/exception/MWException.php 
b/includes/exception/MWException.php
index c633431..6d95919 100644
--- a/includes/exception/MWException.php
+++ b/includes/exception/MWException.php
@@ -103,13 +103,15 @@
$logId = WebRequest::getRequestId();
$type = static::class;
return Html::errorBox(
-   '[' . $logId . '] ' .
-   gmdate( 'Y-m-d H:i:s' ) . ": " .
-   $this->msg( "internalerror-fatal-exception",
-   "Fatal exception of type $1",
-   $type,
-   $logId,
-   MWExceptionHandler::getURL( $this )
+   htmlspecialchars(
+   '[' . $logId . '] ' .
+   gmdate( 'Y-m-d H:i:s' ) . ": " .
+   $this->msg( "internalerror-fatal-exception",
+   "Fatal exception of type $1",
+   $type,
+   $logId,
+   MWExceptionHandler::getURL( $this )
+   )
) ) .
"";
}
 

-- 
To view, visit https://gerrit.wikimedia.org/r/391447
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Reedy 
Gerrit-Reviewer: Brian Wolff 
Gerrit-Reviewer: Reedy 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] mediawiki/core[master]: SECURITY: Escape internal error message

2017-11-14 Thread Reedy (Code Review)

Reedy has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/391447 )

Change subject: SECURITY: Escape internal error message
..

SECURITY: Escape internal error message

This message contains the request url, which is semi-user controlled.
Most browsers percent escape < and > so its probably not exploitable
(curl is an exception here), but nonetheless its not good.

Bug: T178451
Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
---
M includes/exception/MWException.php
M includes/exception/MWExceptionRenderer.php
2 files changed, 18 insertions(+), 15 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core 
refs/changes/47/391447/1

diff --git a/includes/exception/MWException.php 
b/includes/exception/MWException.php
index c633431..6d95919 100644
--- a/includes/exception/MWException.php
+++ b/includes/exception/MWException.php
@@ -103,13 +103,15 @@
$logId = WebRequest::getRequestId();
$type = static::class;
return Html::errorBox(
-   '[' . $logId . '] ' .
-   gmdate( 'Y-m-d H:i:s' ) . ": " .
-   $this->msg( "internalerror-fatal-exception",
-   "Fatal exception of type $1",
-   $type,
-   $logId,
-   MWExceptionHandler::getURL( $this )
+   htmlspecialchars(
+   '[' . $logId . '] ' .
+   gmdate( 'Y-m-d H:i:s' ) . ": " .
+   $this->msg( "internalerror-fatal-exception",
+   "Fatal exception of type $1",
+   $type,
+   $logId,
+   MWExceptionHandler::getURL( $this )
+   )
) ) .
"";
}
 

-- 
To view, visit https://gerrit.wikimedia.org/r/391447
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Reedy 
Gerrit-Reviewer: Brian Wolff 
Gerrit-Reviewer: Reedy 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] mediawiki/core[master]: SECURITY: Escape internal error message

[MediaWiki-commits] [Gerrit] mediawiki/core[master]: SECURITY: Escape internal error message

2 matches

Site Navigation

Mail list logo

Footer information