Page MenuHomePhabricator
Create Task
Maniphest T123653

Cross-domain policy regexp is too narrow
Closed, ResolvedPublic
Actions

Description

Our regexp in OutputHandler, ApiFormatJson and ApiFormatPhp ('/\<\s*cross-domain-policy\s*\>/i') counts on this tag to never have any attributes. This is not the case, e.g. https://twitter.com/crossdomain.xml has <cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">. In any case, we must not assume that the spec will never change or that there will never be non-compliant plugin implementations.

Related Objects
Search...

Event Timeline

MaxSem created this task.Jan 14 2016, 7:11 PM
MaxSem raised the priority of this task from to Needs Triage.
MaxSem updated the task description. (Show Details)
MaxSem added projects: Security-Core, acl*security.
MaxSem changed the visibility from "Public (No Login Required)" to "Custom Policy".
MaxSem changed the edit policy from "All Users" to "Custom Policy".
MaxSem changed Security from None to Software security bug.
MaxSem subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 14 2016, 7:11 PM
MaxSem added a comment.Jan 14 2016, 7:27 PM

Alternatively, just nuke teh whole thing? Unless someone has an insane rewrite that allows to actually output this XML at /crossdomain.xml, this technique shouldn't be needed anymore.

csteipp subscribed.Jan 15 2016, 11:18 PM

I believe it's still needed, since any site can helpfully point to a custom url for crossdomain.xml on a site. I believe /crossdomain.xml will override the custom policy, but I haven't yet deployed a /crossdomain.xml yet (T75574: Host crossdomain.xml master policy file).

Anomie added a project: Patch-For-Review.Jan 18 2016, 5:03 PM
Anomie subscribed.

I think we should be able to get away with just changing the regex, along the lines of '/\<\s*cross-domain-policy(?=\s|>)/i', and the replacements similarly. This would be a slight change in that it would turn <cross-domain-policy> into \u003Ccross-domain-policy> instead of \u003Ccross-domain-policy\u003E for ApiFormatJson, but I don't think that will matter for the purpose.

SECURITY: Improve cross-domain-policy mangling.patch3 KBDownload

Legoktm added a subscriber: PleaseStand.Jan 19 2016, 8:27 AM
csteipp triaged this task as High priority.Jan 19 2016, 10:26 PM
Bawolff subscribed.Jan 19 2016, 10:27 PM

This patch looks fine to me, although I wonder if it would be simpler to do /\<\s*cross-domain-policy/i instead

Anomie added a comment.Jan 20 2016, 3:17 AM

Well, that would catch things like <cross-domain-policy-foobar that aren't the problematic tag.

csteipp added a comment.Mar 16 2016, 10:07 PM

T123653b.patch3 KBDownload

Updated for short array format in the tests.

csteipp added a parent task: T124940: MediaWiki 1.26.3 security release.Mar 29 2016, 9:52 PM
dpatrick closed this task as Resolved.Mar 29 2016, 10:53 PM
dpatrick claimed this task.
dpatrick subscribed.

Patch deployed (https://wikitech.wikimedia.org/wiki/Server_Admin_Log):

22:47 dapatrick: Deployed patch for T123653 to wmf18 and wmf19

demon mentioned this in T124940: MediaWiki 1.26.3 security release.Apr 20 2016, 3:09 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:24 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:24 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits