Last modified: 2014-03-07 19:30:06 UTC
Steps to reproduce: 1. Go to https://en.wikipedia.org/w/api.php?action=parse&text=api.php?http://onmouseover=alert%28document.cookie%29//&title=Foo&prop=wikitext&format=jsonfm 2. Hover over the first link. -> A popup will be shown with your cookie. The problem is in function formatHTML from ApiFormatBase.php: The raw output contains api.php?http://onmouseover=alert(document.cookie)// In a first pass this is transformed into a link to api.php, i.e. into <a href="api.php?http://onmouseover=alert(document.cookie)//">...</a> In a second step the string starting with http:// are recognized as URLs and transformed into a link, too. But as it is inside an attribute this breaks the HTML structure: <a href="api.php?<a href="http://onmouseover=alert(document.cookie)//">...</a>">...</a> This is invalid HTML, but according to HTML5 the first a-tag gets an onmouseover-attribute with the value 'alert(document.cookie)//"'.
Created attachment 14596 [details] Fix Ugh. This should fix it, by hiding the already-created links from the second pass of link finding.
Patch looks good, and fixes the issue. I asked Aaron to take a look at it also. We should be able to deploy it soon. Thanks for the report Michael.
Would be nice if the patch used: <([0-9a-f]{40})> instead of <([0-9a-f]+)>. I think this is OK though.
I deployed the patch as it was today. Brad, it might be nice to make that update, just to make it a little more specific before we release this. Next release will probably be in a couple of weeks.
For reference, this was commit Idf985e4e69c2f11778a8a90503914678441cb3fb (gerrit bot presumably can't edit hidden security bugs)
This was assigned CVE-2014-2244
Change 115961 merged by jenkins-bot: SECURITY: API: Don't find links in the middle of api.php links https://gerrit.wikimedia.org/r/115961