Last modified: 2014-09-08 15:04:17 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T67778, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 65778 - When special pages are included, OutputPage::$mPreventClickjacking is not respected


Summary:	When special pages are included, OutputPage::$mPreventClickjacking is not res...

Status:	RESOLVED FIXED

Product:	MediaWiki
Classification:	Unclassified
Component:	General/Unknown (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Unprioritized normal (vote)
Target Milestone:	1.23.x release
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2014-05-26 18:45 UTC by Kevin Israel (PleaseStand)
Modified:	2014-09-08 15:04 UTC (History)
CC List:	8 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Copy prevent-clickjacking between OutputPage and ParserOutput (4.17 KB, patch) 2014-05-27 17:08 UTC, Brad Jorsch	Details
Copy prevent-clickjacking between OutputPage and ParserOutput (3.15 KB, patch) 2014-07-10 19:20 UTC, Chris Steipp	Details
Backport for REL1_23 (3.16 KB, patch) 2014-07-29 12:34 UTC, Markus Glaser	Details
Backport to REL1_22 (3.16 KB, patch) 2014-07-29 12:35 UTC, Markus Glaser	Details
Backport to REL1_19 (3.19 KB, patch) 2014-07-29 12:36 UTC, Markus Glaser	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Kevin Israel (PleaseStand) 2014-05-26 18:45:11 UTC

Comment 1 Kevin Israel (PleaseStand) 2014-05-26 18:47:45 UTC

To reproduce, navigate to the following URL:

data:text/html,<iframe src="https://en.wikipedia.org/w/index.php?title=User:PleaseStand/Sandbox&oldid=610241510" width="800" height="600"></iframe>

Rollback links are visible inside the iframe.

Comment 2 Chris Steipp 2014-05-27 16:24:23 UTC

Thanks Kevin, that's definitely an issue. I'm not sure what our options are for checking the properties of transcluded pages, but that seems like something we should do.

Adding Brad and Tim, in case they've thought through this already.

Comment 3 Brad Jorsch 2014-05-27 17:08:04 UTC

Created attachment 15487 [details]
Copy prevent-clickjacking between OutputPage and ParserOutput

I haven't thought this through yet. But it looks like we already have functions copying metadata back and forth between ParserOutput and OutputPage, so fixing it could easily go like this:

1. Have a 'mPreventClickjacking' flag in ParserOutput.
2. Have ParserOutput::addOutputPageMetadata() combine its flag with the one from the passed OutputPage.
3. Have OutputPage::addParserOutputNoText() do the same thing from the passed ParserOutput.

Comment 4 Chris Steipp 2014-07-10 19:20:08 UTC

Created attachment 15894 [details]
Copy prevent-clickjacking between OutputPage and ParserOutput

I updated Brad's patch to take out the indentation change-- I'd like to make sure the security part is as small a change as possible. I'll submit an indentation change for all those once this is public.

Comment 5 Chris Steipp 2014-07-10 19:48:24 UTC

Deployed, and PleaseStand's PoC no longer works. Sorry for delay in getting this out!

19:45 csteipp: deployed patch for bug65778

Comment 6 Markus Glaser 2014-07-29 12:34:45 UTC

Created attachment 16082 [details]
Backport for REL1_23

This backport was tested with 

data:text/html,<iframe src="http://localhost/REL1_23/core/index.php?title=Benutzer:WikiSysop" width="800" height="600"></iframe>

Before the patch, the included special page was displayed. After the patch, the content of the iframe is blank (no errors). This is the same behavior as in master.

Comment 7 Markus Glaser 2014-07-29 12:35:44 UTC

Created attachment 16083 [details]
Backport to REL1_22

This backport was tested with 

data:text/html,<iframe src="http://localhost/REL1_22/core/index.php?title=Benutzer:WikiSysop" width="800" height="600"></iframe>

Before the patch, the included special page was displayed. After the patch, the content of the iframe is blank (no errors). This is the same behavior as in master.

Can someone please confirm the backport works as designed?

Comment 8 Markus Glaser 2014-07-29 12:36:16 UTC

Created attachment 16084 [details]
Backport to REL1_19

This backport was tested with 

data:text/html,<iframe src="http://localhost/REL1_19/core/index.php?title=Benutzer:WikiSysop" width="800" height="600"></iframe>

Before the patch, the included special page was displayed. After the patch, the content of the iframe is blank (no errors). This is the same behavior as in master.

Can someone please confirm the backport works as designed?

Comment 9 Chris Steipp 2014-07-29 16:42:34 UTC

Adding early access for Wikia and Debian

Comment 10 Chris Steipp 2014-07-30 00:27:08 UTC

Backports all seem to work fine. +2.

Comment 11 Chris Steipp 2014-08-14 16:32:54 UTC

This was assigned CVE-2014-5243

Comment 12 Andre Klapper 2014-09-07 20:11:31 UTC

So is there something left to do here, or is everything merged (RESOLVED FIXED)?

Comment 13 Brad Jorsch 2014-09-08 15:04:17 UTC

Looks like everything is merged to me. If I'm wrong, feel free to reopen.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links