Last modified: 2012-06-28 21:12:29 UTC
A security bug which is exactly the same as bug 36938, fixed in our latest release, was introduced in Gerrit change #11588.
TWN maintainers should care this if it's using master version.
Liangent, I haven't been able to verify that the change actually allows for xss, but it would be good to protect against it. SPQRobin, maybe update the return to use the Xml class, something like: $row = Xml::wrapClass( Xml::element( 'b', null, $legend ), 'mw-pt-languages-label', 'td' ); $row .= Xml::element('td', array( 'class'=>'mw-pt-languages-list' ), $languages ); $row = Xml::tags( 'tr', array( 'valign' => 'top' ), $row ); $table = Xml::tags( 'table', null, Xml::tags( 'tbody', null, $row ) ); $langAttribs = array( 'lang' => $userLangCode, 'dir' => $userLangDir ); return Xml::wrapClass( $table, 'mw-pt-languages', 'div', $langAttribs );
(In reply to comment #2) > Liangent, I haven't been able to verify that the change actually allows for > xss, but it would be good to protect against it. https://meta.wikimedia.org/wiki/IPv6_initiative/2012_IPv6_Day_announcement?uselang=%22%20onmouseover=%22alert%28%27xss%27%29;%22%20x=%22
Liangent, thank you! Robin, can you get this fixed, or would you like me to submit this patch into gerrit?
(In reply to comment #4) > Liangent, thank you! > > Robin, can you get this fixed, or would you like me to submit this patch into > gerrit? Submitting means disclosing this bug, maybe this should be done after it's fixed on live sites?
(In reply to comment #5) > Submitting means disclosing this bug, maybe this should be done after it's > fixed on live sites? Just submit it as draft (drafts instead of refs branch) and assign reviewers manually. Adding Chris and Nikerabbit should do the trick.
(In reply to comment #6) > (In reply to comment #5) > > > Submitting means disclosing this bug, maybe this should be done after it's > > fixed on live sites? > > Just submit it as draft (drafts instead of refs branch) and assign reviewers > manually. Adding Chris and Nikerabbit should do the trick. How to do it?
I gave it a stab at Gerrit change #13300. Used this command to push the patch set: git push ssh://siebrand@gerrit.wikimedia.org:29418/mediawiki/extensions/Translate HEAD:refs/drafts/master
(In reply to comment #8) > I gave it a stab at Gerrit change #13300. > > Used this command to push the patch set: > git push > ssh://siebrand@gerrit.wikimedia.org:29418/mediawiki/extensions/Translate > HEAD:refs/drafts/master “ Not Found The page you requested was not found. ” Should it be using a more informative message?
Ah, sorry. I forgot to add you as reviewer.
Merged and deployment to Wikimedia 1.20wmf6 imminent.
The merged fix contained a syntax error. Fixed in Gerrit change #13361.
Thank you for fixing. (Marking as FIXED since the change is merged.) Btw, wouldn't it be better if we filtered the uselang input to only contain a-z letters and dashes? It seems to already fallback to English if it contains some invalid characters.