Page MenuHomePhabricator

LQT not escaping thread subjects on page history
Closed, ResolvedPublic

Description

Users can insert any HTML into LQT thread subject and it will appear unescaped in the page history.


Version: master
Severity: normal

Details

Reference
bz53320

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:48 AM
bzimport set Reference to bz53320.

Created attachment 13162
Escape thread subject on history page

Attached:

Confirmed the issue, and fix. We'll deploy that and add a note about this in the 1.21.2 release.

Looks like it got deployed:

<logmsgbot> !log csteipp synchronized php-1.22wmf14/extensions/LiquidThreads 'Fix bug53320'
<logmsgbot> !log csteipp synchronized php-1.22wmf13/extensions/LiquidThreads 'Fix bug53320'

CCing Werdna, who wrote this code in r58000.

Dauerwaldweg wrote:

Are there fixes for older MW/LQT-Versions available too? Could someone please give detailed information which versions are fixed and which not?
The main extension page of LQT is some how missleading to see whats done in the different branches.

The patch was only in master initially, but I just added patches for REL1_19, 20, and 21. Maybe someone can test and merge them?

Dauerwaldweg wrote:

Does this mean LQT 2.x and 3.x?

(In reply to comment #6)

Does this mean LQT 2.x and 3.x?

I am not aware of any existing codebase called "LiquidThreads 3.x" so this applies to 2.x.

This was assigned CVE-2013-4308

(In reply to comment #7)

(In reply to comment #6)

Does this mean LQT 2.x and 3.x?

I am not aware of any existing codebase called "LiquidThreads 3.x" so this
applies to 2.x.

Correct, the vulnerability was in the 2.x branch, which I think is the only reasonably support version of lqt. It may exist in 3.x, but since that code is pretty much abandoned, I don't think it's been checked.