On 2016-10-29 5:30 PM, Brian Wolff wrote:
On Saturday, October 29, 2016, Daniel Friesen daniel@nadir-seen-fire.com wrote:
And then there is $image. urlpathinfo doesn't escape quotes, backslashes, or </script>.
Its hard to find docs on what urlpathinfo actually does (talk about a red flag for a security mechanism...) but i thought it was basically rawurlencode, which i think escapes all the relavent characters in this context as percent encoding.
-- Bawolff
You're right, urlpathinfo does escape '</script> to %27%3C/script%3E.
I was testing against the DISQUS widget's code which supposedly used urlpathinfo for its $id parameter: http://www.mediawikiwidgets.org/w/index.php?title=Widget:DISQUS&action=e...
However it turns out that the actual code in the widget was '<!--{$id|escape:'urlpathinfo '}-->' (there is a space after urlpathinfo but before the quote).
So it seems that `|escape:'urlpathinfo'` will safely escape things. But an extra space in the escape type name will make it an invalid escape type and when Widgets encounters an invalid escape type, instead of erroring out and warning you it just ignores the escape entirely and drops a wide open security hole in your widget.
(That said DISQUS and nearly every other inline script using widget is still broken even if urlpathinfo worked because just about everyone of them uses something like '<!--{$url|escape:'quotes'}-->' which offers no security because it pretty much only escapes double quotes, leaving BOTH single quotes and </script> free to inject code)
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]