SECURITY: XSS in unclosed internal links

rawurldecode was being run on unclosed internal links
which could allow an attacker to insert arbitrary
html into the page.

See also related: r13302

Bug: T137264
Change-Id: I4e112a9e918df9fe78b62c311939239b483a21f5

diff --git a/includes/parser/Parser.php b/includes/parser/Parser.php
index 4f579a9..38eb621 100644 (file)
--- a/includes/parser/Parser.php
+++ b/includes/parser/Parser.php
@@ -2158,7 +2158,7 @@ class Parser {
                                $might_be_img = true;
                                $text = $m[2];
                                if ( strpos( $m[1], '%' ) !== false ) {
-                                       $m[1] = rawurldecode( $m[1] );
+                                       $m[1] = str_replace( [ '<', '>' ], [ '&lt;', '&gt;' ], rawurldecode( $m[1] ) );
                                }
                                $trail = "";
                        } else { # Invalid form; output directly

diff --git a/tests/parser/parserTests.txt b/tests/parser/parserTests.txt
index d6d2b29..c7bbc62 100644 (file)
--- a/tests/parser/parserTests.txt
+++ b/tests/parser/parserTests.txt
@@ -27140,3 +27140,12 @@ Thumbnail output
 </div>
 </div>
 !! end
+
+!! test
+unclosed internal link XSS (T137264)
+!! wikitext
+[[#%3Cscript%3Ealert(1)%3C/script%3E|
+!! html
+<p>[[#&lt;script&gt;alert(1)&lt;/script&gt;|
+</p>
+!! end