Page MenuHomePhabricator
Create Task
Maniphest T291852

Weird anoneditwarning output when adding an external link
Closed, ResolvedPublicSecurity
Actions

Description

I was trying to make https://www.mediawiki.org/w/index.php?title=Security%2FSOP%2FSecurity_Preview&type=revision&diff=4830043&oldid=4830041 logged out (didn't notice that I was), and when I hit save, I was presented with a captcha fair enough), but it had a weird block of information in it...

Capture.PNG (1×3 px, 510 KB)

Details

Risk Rating
Medium
Author Affiliation
WMF Technology Dept
SubjectRepoBranchLines +/-
Don't copy POST query params when generating link/redirect URLsmediawiki/coremaster+13 -13
Customize query in gerrit

Related Objects

Event Timeline

Reedy created this task.Sep 27 2021, 4:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 27 2021, 4:54 PM
Reedy added a project: MediaWiki-Page-editing.Sep 27 2021, 4:55 PM
Reedy updated the task description. (Show Details)
Legoktm subscribed.Sep 27 2021, 5:05 PM

In EditPage:

				$returntoquery = array_diff_key(
					$this->context->getRequest()->getValues(),
					[ 'title' => true, 'returnto' => true, 'returntoquery' => true ]
				);
				$out->wrapWikiMsg(
					"<div id='mw-anon-edit-warning' class='warningbox'>\n$1\n</div>",
					[ 'anoneditwarning',
						// Log-in link
						SpecialPage::getTitleFor( 'Userlogin' )->getFullURL( [
							'returnto' => $this->getTitle()->getPrefixedDBkey(),
							'returntoquery' => wfArrayToCgi( $returntoquery ),
						] ),
						// Sign-up link
						SpecialPage::getTitleFor( 'CreateAccount' )->getFullURL( [
							'returnto' => $this->getTitle()->getPrefixedDBkey(),
							'returntoquery' => wfArrayToCgi( $returntoquery ),
						] )
					]
				);

$returntoquery should use WebRequest::getQueryValues() instead of trying to embed all POST values in the URL too.

Reedy added a comment.Sep 27 2021, 9:34 PM

I'm guessing this may be a dupe... And probably doesn't need to be a security bug; I just filed it as such I didn't have to worry too much what params were actually in the pasted text

Reedy edited projects, added SecTeam-Processed; removed Security-Team.Oct 4 2021, 3:42 PM
matmarex added subscribers: sbassett, matmarex.Sat, Nov 16, 1:59 AM

It seems that this is no longer reproducible (as far as I can tell, we only display this message when the form has not been POST-ed now), but it would still be nice to change this code, to avoid this bad pattern being copied elsewhere. (e.g. T309907)

@sbassett There's no security issue here, could you please make this task public?

matmarex added a project: Patch-For-Review.Sat, Nov 16, 3:45 AM

(I submitted a patch at https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1091844)

sbassett triaged this task as Medium priority.Sat, Nov 16, 5:16 PM
sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
sbassett added a subscriber: gerritbot.
gerritbot added a comment.Tue, Nov 19, 8:50 AM

Change #1091844 merged by jenkins-bot:

[mediawiki/core@master] Don't copy POST query params when generating link/redirect URLs

https://gerrit.wikimedia.org/r/1091844

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.5; 2024-11-25).Tue, Nov 19, 9:00 AM
matmarex closed this task as Resolved.Wed, Nov 20, 8:12 PM
matmarex claimed this task.
matmarex removed a project: Patch-For-Review.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits