SECURITY: Escape internal error message

This message contains the request url, which is semi-user controlled.
Most browsers percent escape < and > so its probably not exploitable
(curl is an exception here), but nonetheless its not good.

Bug: T178451
Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6

diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php
index c633431..6d95919 100644 (file)
--- a/includes/exception/MWException.php
+++ b/includes/exception/MWException.php
@@ -103,13 +103,15 @@ class MWException extends Exception {
                        $logId = WebRequest::getRequestId();
                        $type = static::class;
                        return Html::errorBox(
                        $logId = WebRequest::getRequestId();
                        $type = static::class;
                        return Html::errorBox(

-                       '[' . $logId . '] ' .
-                       gmdate( 'Y-m-d H:i:s' ) . ": " .
-                       $this->msg( "internalerror-fatal-exception",
-                               "Fatal exception of type $1",
-                               $type,
-                               $logId,
-                               MWExceptionHandler::getURL( $this )
+                       htmlspecialchars(
+                               '[' . $logId . '] ' .
+                               gmdate( 'Y-m-d H:i:s' ) . ": " .
+                               $this->msg( "internalerror-fatal-exception",
+                                       "Fatal exception of type $1",
+                                       $type,
+                                       $logId,
+                                       MWExceptionHandler::getURL( $this )
+                               )

                        ) ) .
                        "<!-- Set \$wgShowExceptionDetails = true; " .
                        "at the bottom of LocalSettings.php to show detailed " .
                        ) ) .
                        "<!-- Set \$wgShowExceptionDetails = true; " .
                        "at the bottom of LocalSettings.php to show detailed " .

diff --git a/includes/exception/MWExceptionRenderer.php b/includes/exception/MWExceptionRenderer.php
index bb5e4f4..dbb984d 100644 (file)
--- a/includes/exception/MWExceptionRenderer.php
+++ b/includes/exception/MWExceptionRenderer.php
@@ -169,14 +169,15 @@ class MWExceptionRenderer {
                } else {
                        $logId = WebRequest::getRequestId();
                        $html = "<div class=\"errorbox mw-content-ltr\">" .
                } else {
                        $logId = WebRequest::getRequestId();
                        $html = "<div class=\"errorbox mw-content-ltr\">" .

-                               '[' . $logId . '] ' .
-                               gmdate( 'Y-m-d H:i:s' ) . ": " .
-                               self::msg( "internalerror-fatal-exception",
-                                       "Fatal exception of type $1",
-                                       get_class( $e ),
-                                       $logId,
-                                       MWExceptionHandler::getURL()
-                               ) . "</div>\n" .
+                               htmlspecialchars(
+                                       '[' . $logId . '] ' .
+                                       gmdate( 'Y-m-d H:i:s' ) . ": " .
+                                       self::msg( "internalerror-fatal-exception",
+                                               "Fatal exception of type $1",
+                                               get_class( $e ),
+                                               $logId,
+                                               MWExceptionHandler::getURL()
+                               ) ) . "</div>\n" .

                                "<!-- " . wordwrap( self::getShowBacktraceError( $e ), 50 ) . " -->";
                }
 
                                "<!-- " . wordwrap( self::getShowBacktraceError( $e ), 50 ) . " -->";
                }