Create Task
Maniphest T141670

Templates are parsed in AbuseLog
Closed, ResolvedPublic
Actions

Description

In the abuse filter log (Special:AbuseLog), the description of the filter (see line 769 and 826 of "includes/special/SpecialAbuseLog.php" in AbuseFilter extension), should not be parsed.

For example, see https://en.wikipedia.org/w/index.php?title=Special:AbuseLog&wpSearchUser=MaxSem

Details

SubjectRepoBranchLines +/-
Always show abuse filter public comments as plain textmediawiki/extensions/AbuseFiltermaster+10 -11
Customize query in gerrit

Related Objects

Event Timeline

MaxSem created this task.Jul 29 2016, 11:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 29 2016, 11:23 PM
MaxSem added a project: AbuseFilter.Jul 29 2016, 11:24 PM
matmarex subscribed.Jul 29 2016, 11:31 PM

This is probably not a security issue, unless you see the same thing somewhere else too. From what I see, at worst it makes viewing some logs annoying. The filter descriptions can only be edited by trusted users.

MaxSem added a comment.Jul 29 2016, 11:42 PM

I just quickly logged this bug, needs checking what else is parsed. If it's only things editable by privileged groups, then it can be made public.

dpatrick triaged this task as Medium priority.Aug 2 2016, 8:29 PM
RobLa-WMF lowered the priority of this task from Medium to Low.Aug 2 2016, 8:32 PM
RobLa-WMF added subscribers: dpatrick, Bawolff, RobLa-WMF.

@Bawolff, @dpatrick and I triaged this. Max, is the danger that someone can inject hyperlinks/etc in the AbuseLog?

Bawolff updated the task description. (Show Details)Dec 10 2017, 3:32 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".

Making public, I don't see any way to exploit this

Bawolff mentioned this in T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.Dec 10 2017, 3:32 PM
matej_suchanek subscribed.Dec 10 2017, 8:57 PM

Looks like a duplicate of T26309 to me.

matmarex unsubscribed.Dec 11 2017, 5:16 PM
Melos mentioned this in T173249: AbuseFilter abusefilter-warning rendered with <div class="mw-parser-output"> in text.Mar 7 2018, 4:38 PM
gerritbot subscribed.Mar 10 2018, 1:47 PM

Change 418584 had a related patch set uploaded (by Melos; owner: Melos):
[mediawiki/extensions/AbuseFilter@master] Always show abuse filter public comments as plain text

https://gerrit.wikimedia.org/r/418584

gerritbot added a project: Patch-For-Review.Mar 10 2018, 1:47 PM
Daimona merged a task: T26309: Some interface messages are broken if filter name contains template syntax.Mar 12 2018, 5:17 PM
Daimona added subscribers: liangent, zhuyifei1999, Huji and 4 others.
gerritbot added a comment.Mar 29 2018, 4:13 PM

Change 418584 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Always show abuse filter public comments as plain text

https://gerrit.wikimedia.org/r/418584

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-04-03 (1.31.0-wmf.28)).Mar 29 2018, 5:00 PM
matej_suchanek closed this task as Resolved.Mar 29 2018, 5:03 PM
matej_suchanek assigned this task to Melos.
matej_suchanek edited projects, added User-notice; removed Patch-For-Review.
matej_suchanek moved this task from To Triage to Announce in next Tech/News on the User-notice board.
matej_suchanek unsubscribed.
Liuxinyu970226 moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Mar 31 2018, 3:08 AM
Liuxinyu970226 unsubscribed.Mar 31 2018, 3:18 AM
Johan moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Apr 5 2018, 6:05 PM
RandomDSdevel awarded a token.Apr 6 2018, 7:48 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Stang unsubscribed.Nov 13 2021, 11:34 PM
Ladsgroup edited projects, added User-notice-archive; removed User-notice.Aug 13 2022, 1:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits