From ceef8d0255a1bb187711b57043c7d9cc59b9d744 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Wed, 18 Oct 2017 05:28:43 +0000 Subject: [PATCH] SECURITY: Escape internal error message This message contains the request url, which is semi-user controlled. Most browsers percent escape < and > so its probably not exploitable (curl is an exception here), but nonetheless its not good. Bug: T178451 Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6 --- RELEASE-NOTES-1.27 | 2 ++ includes/exception/MWException.php | 16 +++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 646c47f263..9d4ea41756 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -16,6 +16,8 @@ This not a release yet! * DB_REPLICA constant added from REL1_28+ to ease backports to extensions and core. * (T175439) Unbreak Postgres Updater when setting defaults for a column. * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php index bebd91580f..dcb38b23a7 100644 --- a/includes/exception/MWException.php +++ b/includes/exception/MWException.php @@ -144,13 +144,15 @@ class MWException extends Exception { $logId = WebRequest::getRequestId(); $type = get_class( $this ); return "
" . - '[' . $logId . '] ' . - gmdate( 'Y-m-d H:i:s' ) . ": " . - $this->msg( "internalerror-fatal-exception", - "Fatal exception of type $1", - $type, - $logId, - MWExceptionHandler::getURL( $this ) + htmlspecialchars( + '[' . $logId . '] ' . + gmdate( 'Y-m-d H:i:s' ) . ": " . + $this->msg( "internalerror-fatal-exception", + "Fatal exception of type $1", + $type, + $logId, + MWExceptionHandler::getURL( $this ) + ) ) . "
\n" . "