From fea3bbcdae4f052f769ab466df6e1f5d47d1383c Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Wed, 18 Oct 2017 05:28:43 +0000
Subject: [PATCH] SECURITY: Escape internal error message

This message contains the request url, which is semi-user controlled.
Most browsers percent escape < and > so its probably not exploitable
(curl is an exception here), but nonetheless its not good.

Bug: T178451
Change-Id: I19358471ddf1b28377aad8e0fb54797c817bb6f6
---
 includes/exception/MWException.php         | 16 +++++++++-------
 includes/exception/MWExceptionRenderer.php | 17 +++++++++--------
 2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/includes/exception/MWException.php b/includes/exception/MWException.php
index c63343189f..6d95919a87 100644
--- a/includes/exception/MWException.php
+++ b/includes/exception/MWException.php
@@ -103,13 +103,15 @@ class MWException extends Exception {
 			$logId = WebRequest::getRequestId();
 			$type = static::class;
 			return Html::errorBox(
-			'[' . $logId . '] ' .
-			gmdate( 'Y-m-d H:i:s' ) . ": " .
-			$this->msg( "internalerror-fatal-exception",
-				"Fatal exception of type $1",
-				$type,
-				$logId,
-				MWExceptionHandler::getURL( $this )
+			htmlspecialchars(
+				'[' . $logId . '] ' .
+				gmdate( 'Y-m-d H:i:s' ) . ": " .
+				$this->msg( "internalerror-fatal-exception",
+					"Fatal exception of type $1",
+					$type,
+					$logId,
+					MWExceptionHandler::getURL( $this )
+				)
 			) ) .
 			"<!-- Set \$wgShowExceptionDetails = true; " .
 			"at the bottom of LocalSettings.php to show detailed " .
diff --git a/includes/exception/MWExceptionRenderer.php b/includes/exception/MWExceptionRenderer.php
index bb5e4f4eda..dbb984d06f 100644
--- a/includes/exception/MWExceptionRenderer.php
+++ b/includes/exception/MWExceptionRenderer.php
@@ -169,14 +169,15 @@ class MWExceptionRenderer {
 		} else {
 			$logId = WebRequest::getRequestId();
 			$html = "<div class=\"errorbox mw-content-ltr\">" .
-				'[' . $logId . '] ' .
-				gmdate( 'Y-m-d H:i:s' ) . ": " .
-				self::msg( "internalerror-fatal-exception",
-					"Fatal exception of type $1",
-					get_class( $e ),
-					$logId,
-					MWExceptionHandler::getURL()
-				) . "</div>\n" .
+				htmlspecialchars(
+					'[' . $logId . '] ' .
+					gmdate( 'Y-m-d H:i:s' ) . ": " .
+					self::msg( "internalerror-fatal-exception",
+						"Fatal exception of type $1",
+						get_class( $e ),
+						$logId,
+						MWExceptionHandler::getURL()
+				) ) . "</div>\n" .
 				"<!-- " . wordwrap( self::getShowBacktraceError( $e ), 50 ) . " -->";
 		}
 
-- 
2.20.1