Last modified: 2014-06-09 06:18:05 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T55320, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 53320 - LQT not escaping thread subjects on page history


Summary:	LQT not escaping thread subjects on page history

Status:	RESOLVED FIXED

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	LiquidThreads (Other open bugs)
Version:	master
Hardware:	All All

Importance:	Unprioritized normal (vote)
Target Milestone:	---
Assigned To:	Alex Monk

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-08-25 13:34 UTC by Alex Monk
Modified:	2014-06-09 06:18 UTC (History)
CC List:	4 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Escape thread subject on history page (826 bytes, patch) 2013-08-25 13:36 UTC, Alex Monk	Details
Add an attachment (proposed patch, testcase, etc.)

Description Alex Monk 2013-08-25 13:34:13 UTC

Users can insert any HTML into LQT thread subject and it will appear unescaped in the page history.

Comment 1 Alex Monk 2013-08-25 13:36:21 UTC

Created attachment 13162 [details]
Escape thread subject on history page

Comment 2 Chris Steipp 2013-08-26 16:51:54 UTC

Confirmed the issue, and fix. We'll deploy that and add a note about this in the 1.21.2 release.

Comment 3 Alex Monk 2013-08-26 17:14:59 UTC

Looks like it got deployed:

<logmsgbot> !log csteipp synchronized php-1.22wmf14/extensions/LiquidThreads  'Fix bug53320'
<logmsgbot> !log csteipp synchronized php-1.22wmf13/extensions/LiquidThreads  'Fix bug53320'

CCing Werdna, who wrote this code in r58000.

Comment 4 Hans Meiser 2013-09-04 01:56:32 UTC

Are there fixes for older MW/LQT-Versions available too? Could someone please give detailed information which versions are fixed and which not?
The main extension page of LQT is some how missleading to see whats done in the different branches.

Comment 5 Chris Steipp 2013-09-04 04:52:41 UTC

The patch was only in master initially, but I just added patches for REL1_19, 20, and 21. Maybe someone can test and merge them?

Comment 6 Hans Meiser 2013-09-05 01:30:10 UTC

Does this mean LQT 2.x and 3.x?

Comment 7 Andre Klapper 2013-09-05 09:30:42 UTC

(In reply to comment #6)
> Does this mean LQT 2.x and 3.x?

I am not aware of any existing codebase called "LiquidThreads 3.x" so this applies to 2.x.

Comment 8 Chris Steipp 2013-09-05 17:05:57 UTC

This was assigned CVE-2013-4308

Comment 9 Chris Steipp 2013-09-05 17:09:34 UTC

(In reply to comment #7)
> (In reply to comment #6)
> > Does this mean LQT 2.x and 3.x?
> 
> I am not aware of any existing codebase called "LiquidThreads 3.x" so this
> applies to 2.x.

Correct, the vulnerability was in the 2.x branch, which I think is the only reasonably support version of lqt. It may exist in 3.x, but since that code is pretty much abandoned, I don't think it's been checked.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links