From 9349305a3599a9867da5742e8948735d39c3b9d6 Mon Sep 17 00:00:00 2001 From: Brian Wolff Date: Wed, 18 Oct 2017 05:28:43 +0000 Subject: [PATCH 1/2] SECURITY: Escape internal error message This message contains the request url, which is semi-user controlled. Most browsers percent escape < and > so its probably not exploitable (curl is an exception here), but nonetheless its not good. Bug: T178451 Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6 --- RELEASE-NOTES-1.27 | 2 ++ includes/exception/MWException.php | 16 +++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 354462b7c3..44855723d0 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -17,6 +17,8 @@ This not a release yet! * (T175439) Unbreak Postgres Updater when setting defaults for a column. * (T160298) Remove use of implicitGroupBy() in ActiveUsersPager. * (T142304) Allow putting the app ID in the password for bot passwords. +* (T178451) SECURITY: Potential XSS when $wgShowExceptionDetails = false and browser + sends non-standard url escaping. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php index bebd91580f..dcb38b23a7 100644 --- a/includes/exception/MWException.php +++ b/includes/exception/MWException.php @@ -144,13 +144,15 @@ class MWException extends Exception { $logId = WebRequest::getRequestId(); $type = get_class( $this ); return "
" . - '[' . $logId . '] ' . - gmdate( 'Y-m-d H:i:s' ) . ": " . - $this->msg( "internalerror-fatal-exception", - "Fatal exception of type $1", - $type, - $logId, - MWExceptionHandler::getURL( $this ) + htmlspecialchars( + '[' . $logId . '] ' . + gmdate( 'Y-m-d H:i:s' ) . ": " . + $this->msg( "internalerror-fatal-exception", + "Fatal exception of type $1", + $type, + $logId, + MWExceptionHandler::getURL( $this ) + ) ) . "
\n" . "