git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Brian Wolff <bawolff+wn@gmail.com>
	Fri, 4 Dec 2015 02:39:16 +0000 (21:39 -0500)
committer	Chad Horohoe <chadh@wikimedia.org>
	Fri, 20 May 2016 16:25:49 +0000 (09:25 -0700)
commit	7e4a134f49d05c93c70968d238671b680922b79c
tree	454f99116e6a0383fa61cf08b63aac82331a610e	tree \| snapshot
parent	17b36599950e57cf852fba672435f7686237bb30	commit \| diff

SECURITY: Include quote characters in strip markers so esc in attr

Strip markers get substituted for general html, which means the
substitution text general does not escape quote characters. If
someone can convince MW to put a strip marker in an attribute,
you can get around escaping requirements that way. This patch
adds the characters `"' to the strip marker text. At least one
of these characters should be escaped inside attributes (regardless
of what quote character you use for attributes), thus normal html
escaping will deactivate the strip markers, preventing the
vulnrability.

This will break any extension that escapes input with htmlspecialchars,
to add to html/half parsed html output, but assumes that strip markers
are unmangled. I don't think its very common to do this. The primary
example I found was some core usages of Xml::escapeTagsOnly(). (And
even in that case, it only affected the corner case of being called
via {{#tag:..}})

Based on MatmaRex's suggestion.

Change-Id: If887065e12026530f36e5f35dd7ab0831d313561

Signed-off-by: Chad Horohoe <chadh@wikimedia.org>

includes/parser/CoreTagHooks.php		diff \| blob \| history
includes/parser/Parser.php		diff \| blob \| history
tests/parser/parserTests.txt		diff \| blob \| history