There is a mouseover user-specified JavaScript execution vulnerability affecting MediaWiki 1.6.6 when running with two specific extensions.
Specifically this is with the experimental <sort> extension. Nobody should be using that one just yet, as it's still under development.
Superficially, yes, that's correct.
However, on a deeper level *maybe* it misses something. Specifically, this problem wasn't found by automated testing.
Rather, it was found by noticing the automated testing was finding problems with nested extension calls, and then suspecting that there was a deeper problem with the interaction between nested extension calls. The fact that such a problem was then found by hand leads me to wonder whether this hypothesis is correct.
In other words, this seems like it *might* be systemic in nested extension calls, rather than a one-off.
For example, suppose a site has extensions A and B installed.
Now suppose a user does something like this: <a><b arg="something"></a>
(i.e. Makes a nested call to extension B inside extension A.)
or this: <a><a arg="something"></a>
(i.e. makes a nested call to extension A instead extension A.)
Calls to extensions inside wiki text are special, and from the Parser output it's clear they're treated specially, in that they seem to have different precedence.
Currently extension A has to do lots of checking of the input to prevent this kind of thing from being a problem. Example: http://nickj.org/MediaWiki/Parser26 which abused a call to the ref extension inside a call to the ref extension. Your fix is here: http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015379.html ; But the potentially worrying bit was that it only addresses that specific extension.
So that was Ref + Ref. Besides this problem, there are others: http://nickj.org/MediaWiki/Parser31 , which is Inputbox + Math. http://nickj.org/MediaWiki/Parser28-variant1 , which is Sort + Math.
And of course this one, which is Sort + something.
*Maybe* (and this goes back to the thing of formally specifying what's allowed in wiki text) nested calls to extensions should be ignored by the parser.
Or, failing that, maybe the inner call should have to complete, and then the outer should be called - whereas I suspect *maybe* sometimes the outer is called first, and then the inner is called second, which potentially is where some of these things are coming from.
Either option would allow extension authors have to worry less about bad input (by making it more the Parser's problem than the extension's problem).
Of course, I could be wrong.
All the best, Nick.
Either option would allow extension authors have to worry less about bad input (by making it more the Parser's problem than the extension's problem).
... which I think is kinda what you just said to me in private email. That'll teach me to send outgoing mail before reading incoming mail, so I'll shut up now.
All the best, Nick.
Nick Jenkins wrote:
Either option would allow extension authors have to worry less about bad input (by making it more the Parser's problem than the extension's problem).
... which I think is kinda what you just said to me in private email. That'll teach me to send outgoing mail before reading incoming mail, so I'll shut up now.
;)
The new one-pass tag stripping* is now in trunk and live on Wikimedia's sites. It passes all parser tests, and has additionally fixed bug 5384 (<!-- comments --> in <ref> tags).
* Comments are actually done on a separate pass, but unstripped back into tag contents where they can be dealt with appropriately by the extension.
If it holds up well for a couple days, it could be backported to 1.6 to provide some more robustness against extension-nesting problems.
-- brion vibber (brion @ pobox.com)
Brion Vibber wrote:
The new one-pass tag stripping* is now in trunk and live on Wikimedia's sites. It passes all parser tests, and has additionally fixed bug 5384 (<!-- comments --> in <ref> tags).
- Comments are actually done on a separate pass, but unstripped back into tag
contents where they can be dealt with appropriately by the extension.
I've now folded the comments into the same pass as tags, fixing regressions with a couple funny cases. Additionally I've fixed some old buglets with the pre-save transform sometimes altering closing tags.
Note that an interesting effect of the one-pass tag stripping is that the order tags are handled in is more predictable: tag extensions are executed in the order they appear inline.
Previously if you had a document like this:
<ref>one</ref> <gallery>Image:Foo</gallery> <ref>two</ref> <references/>
the system would render first the <gallery>, second all the <ref>s, and finally the <references>.
Now, it renders the first <ref>, then the <gallery>, then the second <ref>, and finally the <references/>. This actually becomes more interesting if you want to do some legitimate nesting in tags supporting internal wikitext:
<ref>one</ref> <gallery>Image:Foo|<ref>two</ref></gallery> <ref>three</ref> <references/>
Under the new system this can actually work correctly. The embedded second <ref> gets rendered during the rendering of the <gallery>, which is between the external first and third <ref>s. Since they're executed in the expected logical order, they keep that order in the references list.
Definitely an improvement.
-- brion vibber (brion @ pobox.com)
Moin,
On Friday 02 June 2006 01:02, Brion Vibber wrote:
Brion Vibber wrote:
The new one-pass tag stripping* is now in trunk and live on Wikimedia's sites. It passes all parser tests, and has additionally fixed bug 5384 (<!-- comments --> in <ref> tags).
- Comments are actually done on a separate pass, but unstripped back
into tag contents where they can be dealt with appropriately by the extension.
[snipabit]
Under the new system this can actually work correctly. The embedded second <ref> gets rendered during the rendering of the <gallery>, which is between the external first and third <ref>s. Since they're executed in the expected logical order, they keep that order in the references list.
Definitely an improvement.
Very cool. I am not sure if this will help my problem with nesting templates and extensions, but maybe I can nest some extension tags to achive the effect I want, namely:
{{slides|output=foo}}
and
{{slides|output=bar}}
to result in (inside the slides template):
{{navbar|txt= <slides output="{{{output}}}"> </slides> }}
e.g. the template parameter is passed somehow along to the extension. At the moment (well in 1.6.5) this doesn't work since {{{output}}} isn't replaced by the parameter text. I also tried to put the {{{output}}} inside the tags so:
{{navbar|txt= <slides> output={{{output}}} </slides> }}
but had no luck, either. But maybe now I can trick it into working by using some pseudo-extension tags.
Thanx a lot,
Tels
wikitech-l@lists.wikimedia.org