Difference between revisions of "MediaWiki"
From Nick Jenkins
m |
(add colour coding + Parser24 test) |
||
| Line 1: | Line 1: | ||
| − | Various MediaWiki 1.6.1 parser tests, that fail HTML validation. These were all found by [http://www.cs.wisc.edu/~bart/fuzz/fuzz.html fuzz testing] of MediaWiki, using a modified PHP port of [http://www.securiteam.com/tools/6Z00N1PBFK.html the Python port] of [http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 mangleme]. The [http://files.nickj.org/MediaWiki/wiki-mangleme.phps source code is available]. | + | Various MediaWiki 1.6.1 parser tests, that fail HTML validation. These were all found by [http://www.cs.wisc.edu/~bart/fuzz/fuzz.html fuzz testing] of MediaWiki, using a modified PHP port of [http://www.securiteam.com/tools/6Z00N1PBFK.html the Python port] of [http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 mangleme]. The [http://files.nickj.org/MediaWiki/wiki-mangleme.phps source code is available], although the [http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/maintenance/wiki-mangleme.php version now in the MediaWiki trunk] is probably more current. |
* [[:MediaZilla:5066|MediaWiki bug report]]. | * [[:MediaZilla:5066|MediaWiki bug report]]. | ||
| Line 10: | Line 10: | ||
! Validate HTML | ! Validate HTML | ||
! Tidy HTML | ! Tidy HTML | ||
| − | ! Security<br>aspects? | + | ! [[#Definition of Security Aspects|Security<br>aspects?]] |
! Visible<br>Artefacts? | ! Visible<br>Artefacts? | ||
! Notes and any extra info. | ! Notes and any extra info. | ||
| Line 116: | Line 116: | ||
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator] | | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator] | ||
| {{tidy-html|page=MediaWiki/Parser13}} | | {{tidy-html|page=MediaWiki/Parser13}} | ||
| − | | Yes. | + | | bgcolor=yellow | Yes. |
| No. | | No. | ||
| Drops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table]. | | Drops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table]. | ||
| Line 124: | Line 124: | ||
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator] | | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator] | ||
| {{tidy-html|page=MediaWiki/Parser14}} | | {{tidy-html|page=MediaWiki/Parser14}} | ||
| − | | Yes. | + | | bgcolor=yellow | Yes. |
| Yes. | | Yes. | ||
| TOC insertion | | TOC insertion | ||
| Line 132: | Line 132: | ||
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator] | | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator] | ||
| {{tidy-html|page=MediaWiki/Parser14-table}} | | {{tidy-html|page=MediaWiki/Parser14-table}} | ||
| − | | Yes. | + | | bgcolor=yellow | Yes. |
| Yes. | | Yes. | ||
| TOC insertion | | TOC insertion | ||
| Line 148: | Line 148: | ||
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator] | | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator] | ||
| {{tidy-html|page=MediaWiki/Parser16}} | | {{tidy-html|page=MediaWiki/Parser16}} | ||
| − | | Yes. | + | | bgcolor=yellow | Yes. |
| No. | | No. | ||
| <s>Generates Tidy error due to <th> tags out of order.</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, now drops the '<a href="xxx' string]. | | <s>Generates Tidy error due to <th> tags out of order.</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, now drops the '<a href="xxx' string]. | ||
| Line 188: | Line 188: | ||
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser21 W3C Validator] | | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser21 W3C Validator] | ||
| {{tidy-html|page=MediaWiki/Parser21}} | | {{tidy-html|page=MediaWiki/Parser21}} | ||
| − | | Yes. | + | | bgcolor=yellow | Yes. |
| No. | | No. | ||
| | | | ||
| Line 196: | Line 196: | ||
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser22 W3C Validator] | | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser22 W3C Validator] | ||
| {{tidy-html|page=MediaWiki/Parser22}} | | {{tidy-html|page=MediaWiki/Parser22}} | ||
| − | | Yes. | + | | bgcolor=yellow |Yes. |
| No. | | No. | ||
| Double links injection. | | Double links injection. | ||
| Line 207: | Line 207: | ||
| No. | | No. | ||
| Pre allows malformed URI. Fails validation (unlike nowiki). | | Pre allows malformed URI. Fails validation (unlike nowiki). | ||
| + | |- | ||
| + | | [[MediaWiki/Parser24]] | ||
| + | | [[Special:Export/MediaWiki/Parser24|Export Wiki Source]] | ||
| + | | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser24 W3C Validator] | ||
| + | | {{tidy-html|page=MediaWiki/Parser24}} | ||
| + | | bgcolor=red | Yes. | ||
| + | | No. | ||
| + | | Allows User-specified JavaScript Execution. | ||
|} | |} | ||
| − | + | ==Definition of Security Aspects== | |
| − | + | ||
| + | For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example: | ||
* ''<p><td><s></p>'' would '''not''' be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML. | * ''<p><td><s></p>'' would '''not''' be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML. | ||
* ''<nowiki><a href="http://as<td></td><td class="external free"><p>user text here</nowiki>'' would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes. | * ''<nowiki><a href="http://as<td></td><td class="external free"><p>user text here</nowiki>'' would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes. | ||
* A string missing the start of a tag would also be considered to have a security aspect - e.g. ''<nowiki><th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th></nowiki>'' - because the ''<a href="xxx'' part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order. | * A string missing the start of a tag would also be considered to have a security aspect - e.g. ''<nowiki><th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th></nowiki>'' - because the ''<a href="xxx'' part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order. | ||
So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table. | So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table. | ||
Revision as of 02:29, 23 May 2006
Various MediaWiki 1.6.1 parser tests, that fail HTML validation. These were all found by fuzz testing of MediaWiki, using a modified PHP port of the Python port of mangleme. The source code is available, although the version now in the MediaWiki trunk is probably more current.
Definition of Security Aspects
For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:
- <p><td><s></p> would not be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
- <a href="http://as<td></td><td class="external free"><p>user text here would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
- A string missing the start of a tag would also be considered to have a security aspect - e.g. <th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th> - because the <a href="xxx part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.
So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.
