Difference between revisions of "MediaWiki"

Revision as of 03:49, 24 May 2006

Various MediaWiki 1.6.6 parser tests, that fail HTML validation. These were all found by fuzz testing of MediaWiki, using a modified PHP port of the Python port of mangleme. The source code is available, although the version now in the MediaWiki trunk is probably more current (changelog).

MediaWiki bug report.

Test	Wiki Source	Validate HTML	Tidy HTML	Security aspects?	Fixed in	Visible Artefacts?	Notes and any extra info.
MediaWiki/Parser1	Export Wiki Source	W3C Validator	Tidy HTML	No		Yes	Stikes out almost all text. Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5.
MediaWiki/Parser1-hidden	Export Wiki Source	W3C Validator	Tidy HTML	No		Yes	Hides almost all text, which also makes all page links unavailable.
MediaWiki/Parser2	Export Wiki Source	W3C Validator	Tidy HTML	No		No
MediaWiki/Parser3	Export Wiki Source	W3C Validator	Tidy HTML	No		No
MediaWiki/Parser4	Export Wiki Source	W3C Validator	Tidy HTML	No		No
MediaWiki/Parser5	Export Wiki Source	W3C Validator	Tidy HTML	No		Yes	Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
MediaWiki/Parser6	Export Wiki Source	W3C Validator	Tidy HTML	No		Yes	Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
~~MediaWiki/Parser7~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	No	1.6.1	No.	Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser8	Export Wiki Source	W3C Validator	Tidy HTML	No		No
MediaWiki/Parser9	Export Wiki Source	W3C Validator	Tidy HTML	No		No
MediaWiki/Parser10	Export Wiki Source	W3C Validator	Tidy HTML	No		No
MediaWiki/Parser11	Export Wiki Source	W3C Validator	Tidy HTML	~~Yes~~ No.		No.	Explanation. Security aspects fixed in 1.6.1, although still fails W3C Validation.
MediaWiki/Parser12	Export Wiki Source	W3C Validator	Tidy HTML	~~Yes~~ No.		No.	Explanation. Security aspects fixed in 1.6.1, although still fails W3C Validation.
~~MediaWiki/Parser13~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	~~Yes~~ No.	1.6.6	No.	~~sDrops the '<a href="xxx' string. Explanation for this + Parser14 + Parser14-table.~~ Completely fixed in 1.6.6.
~~MediaWiki/Parser14~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	~~Yes~~ No.	1.6.6	~~Yes~~ No.	~~TOC insertion~~ Completely fixed in 1.6.6.
~~MediaWiki/Parser14-table~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	~~Yes~~ No.	1.6.6	~~Yes~~ No.	~~TOC insertion~~ Completely fixed in 1.6.6.
MediaWiki/Parser15	Export Wiki Source	W3C Validator	Tidy HTML	No		No.	~~Generates Tidy error due to <caption> tags out of order.~~ As of 1.6.1 just fails validation.
MediaWiki/Parser16	Export Wiki Source	W3C Validator	Tidy HTML	~~Yes~~ No.		No.	~~Generates Tidy error due to <th> tags out of order.~~ ~~As of 1.6.1, dropped the '<a href="xxx' string.~~ Security aspects fixed in 1.6.6, although still fails W3C Validation.
~~MediaWiki/Parser17~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	~~Yes~~ No.	1.6.1	No.	Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
~~MediaWiki/Parser18~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	~~Yes~~ No.	1.6.1	No.	Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
~~MediaWiki/Parser19~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	~~Yes~~ No.	1.6.1	No.	Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser20	Export Wiki Source	W3C Validator	Tidy HTML	No		No.	Nowiki allows malformed URI (e.g. generates multi-line hrefs). Passes W3C validation, but tidy gives warnings, and the links don't act like normal links (in Firefox, at least) - clicking on them does nothing.
~~MediaWiki/Parser21~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	~~Yes~~ No.	1.6.6	No.	Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
~~MediaWiki/Parser22~~	~~Export Wiki Source~~	~~W3C Validator~~	~~Tidy HTML~~	~~Yes~~ No.	1.6.6	No.	~~Double links injection.~~ Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser23	Export Wiki Source	W3C Validator	Tidy HTML	No.		No.	Pre allows malformed URI. Fails validation (unlike nowiki).
MediaWiki/Parser24	Export Wiki Source	W3C Validator	Tidy HTML	~~Yes~~ No.		No.	~~Allows User-specified JavaScript Execution.~~ Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25	Export Wiki Source	W3C Validator	Tidy HTML	~~Yes~~ No.		No.	~~Allows User-specified JavaScript Execution.~~ Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25-variant1	Export Wiki Source	W3C Validator	Tidy HTML	~~Yes~~ No.		No.	~~Allows User-specified JavaScript Execution.~~ Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25-variant2	Export Wiki Source	W3C Validator	Tidy HTML	~~Yes~~ No.		No.	~~Allows User-specified JavaScript Execution.~~ Security aspects fixed in 1.6.6, although still fails W3C Validation.

Definition of Security Aspects

For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:

<p><td><s></p> would not be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
<a href="http://as<td></td><td class="external free"><p>user text here would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
A string missing the start of a tag would also be considered to have a security aspect - e.g. <th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th> - because the <a href="xxx part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.

So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.

Difference between revisions of "MediaWiki"

Revision as of 03:49, 24 May 2006

Definition of Security Aspects

Navigation menu

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Tools

@@ Line 1: / Line 1: @@
-Various MediaWiki 1.6.1 parser tests, that fail HTML validation. These were all found by [http://www.cs.wisc.edu/~bart/fuzz/fuzz.html fuzz testing] of MediaWiki, using a modified PHP port of [http://www.securiteam.com/tools/6Z00N1PBFK.html the Python port] of [http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 mangleme]. The [http://files.nickj.org/MediaWiki/wiki-mangleme.phps source code is available], although the [http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/maintenance/wiki-mangleme.php version now in the MediaWiki trunk] is probably more current.
+Various MediaWiki 1.6.6 parser tests, that fail HTML validation. These were all found by [http://www.cs.wisc.edu/~bart/fuzz/fuzz.html fuzz testing] of MediaWiki, using a modified PHP port of [http://www.securiteam.com/tools/6Z00N1PBFK.html the Python port] of [http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0 mangleme]. The [http://files.nickj.org/MediaWiki/wiki-mangleme.phps source code is available], although the [http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/maintenance/wiki-mangleme.php version now in the MediaWiki trunk] is probably more current ([http://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3/maintenance/wiki-mangleme.php?view=log changelog]).
 * [[:MediaZilla:5066|MediaWiki bug report]].
@@ Line 11: / Line 11: @@
 ! Tidy HTML
 ! [[#Definition of Security Aspects|Security<br>aspects?]]
+! Fixed in
 ! Visible<br>Artefacts?
 ! Notes and any extra info.
@@ Line 19: / Line 20: @@
 | {{tidy-html|page=MediaWiki/Parser1}}
 | No
-| Yes
+|
+| bgcolor=grey | Yes
 | Stikes out almost all text. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-February/034012.html Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5].
 |-
@@ Line 27: / Line 29: @@
 | {{tidy-html|page=MediaWiki/Parser1-hidden}}
 | No
-| Yes
+|
+| bgcolor=grey | Yes
 | Hides almost all text, which also makes all page links unavailable.
 |-
@@ Line 35: / Line 38: @@
 | {{tidy-html|page=MediaWiki/Parser2}}
 | No
+|
 | No
 |-
@@ Line 42: / Line 46: @@
 | {{tidy-html|page=MediaWiki/Parser3}}
 | No
+|
 | No
 |-
@@ Line 49: / Line 54: @@
 | {{tidy-html|page=MediaWiki/Parser4}}
 | No
+|
 | No
 |-
@@ Line 56: / Line 62: @@
 | {{tidy-html|page=MediaWiki/Parser5}}
 | No
-| Yes
+|
+| bgcolor=grey | Yes
 | Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
 |-
@@ Line 64: / Line 71: @@
 | {{tidy-html|page=MediaWiki/Parser6}}
 | No
-| Yes
+|
+| bgcolor=grey | Yes
 | Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
 |-
@@ Line 72: / Line 80: @@
 | <s>{{tidy-html|page=MediaWiki/Parser7}}</s>
 | No
+| 1.6.1
 | No.
 | Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
@@ Line 80: / Line 89: @@
 | {{tidy-html|page=MediaWiki/Parser8}}
 | No
+|
 | No
 |-
@@ Line 87: / Line 97: @@
 | {{tidy-html|page=MediaWiki/Parser9}}
 | No
+|
 | No
 |-
@@ Line 94: / Line 105: @@
 | {{tidy-html|page=MediaWiki/Parser10}}
 | No
+|
 | No
 |-
@@ Line 101: / Line 113: @@
 | {{tidy-html|page=MediaWiki/Parser11}}
 | <s>Yes</s> No.
+|
 | No.
-| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-March/034614.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13424 now fixed in 1.6], although still fails W3C Validation.
+| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-March/034614.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13424 fixed in 1.6.1], although still fails W3C Validation.
 |-
 | [[MediaWiki/Parser12]]
@@ Line 109: / Line 122: @@
 | {{tidy-html|page=MediaWiki/Parser12}}
 | <s>Yes</s> No.
+|
 | No.
-| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13441 now fixed in 1.6], although still fails W3C Validation.
+| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034637.html Explanation]. Security aspects [http://svn.wikimedia.org/viewvc/mediawiki?view=rev&sortby=date&revision=13441 fixed in 1.6.1], although still fails W3C Validation.
 |-
-| [[MediaWiki/Parser13]]
+| <s>[[MediaWiki/Parser13]]</s>
-| [[Special:Export/MediaWiki/Parser13|Export Wiki Source]]
+| <s>[[Special:Export/MediaWiki/Parser13|Export Wiki Source]]</s>
-| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator]
+| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser13 W3C Validator]</s>
-| {{tidy-html|page=MediaWiki/Parser13}}
+| <s>{{tidy-html|page=MediaWiki/Parser13}}</s>
-| bgcolor=yellow | Yes.
+| <s>Yes</s> No.
+| 1.6.6
 | No.
-| Drops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table].
+| <s>sDrops the '<a href="xxx' string. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034659.html Explanation for this + Parser14 + Parser14-table].</s> Completely fixed in 1.6.6.
 |-
-| [[MediaWiki/Parser14]]
+| <s>[[MediaWiki/Parser14]]</s>
-| [[Special:Export/MediaWiki/Parser14|Export Wiki Source]]
+| <s>[[Special:Export/MediaWiki/Parser14|Export Wiki Source]]</s>
-| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator]
+| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14 W3C Validator]</s>
-| {{tidy-html|page=MediaWiki/Parser14}}
+| <s>{{tidy-html|page=MediaWiki/Parser14}}</s>
-| bgcolor=yellow | Yes.
+| <s>Yes</s> No.
-| Yes.
+| 1.6.6
-| TOC insertion
+| <s>Yes</s> No.
+| <s>TOC insertion</s> Completely fixed in 1.6.6.
 |-
-| [[MediaWiki/Parser14-table]]
+| <s>[[MediaWiki/Parser14-table]]</s>
-| [[Special:Export/MediaWiki/Parser14-table|Export Wiki Source]]
+| <s>[[Special:Export/MediaWiki/Parser14-table|Export Wiki Source]]</s>
-| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator]
+| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser14-table W3C Validator]</s>
-| {{tidy-html|page=MediaWiki/Parser14-table}}
+| <s>{{tidy-html|page=MediaWiki/Parser14-table}}</s>
-| bgcolor=yellow | Yes.
+| <s>Yes</s> No.
-| Yes.
+| 1.6.6
-| TOC insertion
+| <s>Yes</s> No.
+| <s>TOC insertion</s> Completely fixed in 1.6.6.
 |-
 | [[MediaWiki/Parser15]]
@@ Line 141: / Line 158: @@
 | {{tidy-html|page=MediaWiki/Parser15}}
 | No
+|
 | No.
 | <s>Generates Tidy error due to &lt;caption&gt; tags out of order.</s> As of 1.6.1 just fails validation.
@@ Line 148: / Line 166: @@
 | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser16 W3C Validator]
 | {{tidy-html|page=MediaWiki/Parser16}}
-| bgcolor=yellow | Yes.
+| <s>Yes</s> No.
+|
 | No.
-| <s>Generates Tidy error due to &lt;th&gt; tags out of order.</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, now drops the '<a href="xxx' string].
+| <s>Generates Tidy error due to &lt;th&gt; tags out of order.</s> <s>[http://mail.wikipedia.org/pipermail/wikitech-l/2006-April/034770.html As of 1.6.1, dropped the '<a href="xxx' string.</s>]<br> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 |-
 | <s>[[MediaWiki/Parser17]]</s>
@@ Line 156: / Line 175: @@
 | <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser17 W3C Validator]</s>
 | <s>{{tidy-html|page=MediaWiki/Parser17}}</s>
-| <s>Yes.</s> No.
+| <s>Yes</s> No.
+| 1.6.1
 | No.
 | Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
@@ Line 164: / Line 184: @@
 | <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser18 W3C Validator]</s>
 | <s>{{tidy-html|page=MediaWiki/Parser18}}</s>
-| <s>Yes.</s> No.
+| <s>Yes</s> No.
+| 1.6.1
 | No.
 | Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
@@ Line 172: / Line 193: @@
 | <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser19 W3C Validator]</s>
 | <s>{{tidy-html|page=MediaWiki/Parser19}}</s>
-| <s>Yes.</s> No.
+| <s>Yes</s> No.
+| 1.6.1
 | No.
 | Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
@@ Line 181: / Line 203: @@
 | {{tidy-html|page=MediaWiki/Parser20}}
 | No
+|
 | No.
 | Nowiki allows malformed URI (e.g. generates multi-line hrefs). Passes W3C validation, but tidy gives warnings, and the<br>links don't act like normal links (in Firefox, at least) - clicking on them does nothing.
 |-
-| [[MediaWiki/Parser21]]
+| <s>[[MediaWiki/Parser21]]</s>
-| [[Special:Export/MediaWiki/Parser21|Export Wiki Source]]
+| <s>[[Special:Export/MediaWiki/Parser21|Export Wiki Source]]</s>
-| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser21 W3C Validator]
+| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser21 W3C Validator]</s>
-| {{tidy-html|page=MediaWiki/Parser21}}
+| <s>{{tidy-html|page=MediaWiki/Parser21}}</s>
-| bgcolor=yellow | Yes.
+| <s>Yes</s> No.
+| 1.6.6
 | No.
-|
+| Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
 |-
-| [[MediaWiki/Parser22]]
+| <s>[[MediaWiki/Parser22]]</s>
-| [[Special:Export/MediaWiki/Parser22|Export Wiki Source]]
+| <s>[[Special:Export/MediaWiki/Parser22|Export Wiki Source]]</s>
-| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser22 W3C Validator]
+| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser22 W3C Validator]</s>
-| {{tidy-html|page=MediaWiki/Parser22}}
+| <s>{{tidy-html|page=MediaWiki/Parser22}}</s>
-| bgcolor=yellow |Yes.
+| <s>Yes</s> No.
+| 1.6.6
 | No.
-| Double links injection.
+| <s>Double links injection.</s> Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
 |-
 | [[MediaWiki/Parser23]]
@@ Line 205: / Line 230: @@
 | {{tidy-html|page=MediaWiki/Parser23}}
 | No.
+|
 | No.
 | Pre allows malformed URI. Fails validation (unlike nowiki).
@@ Line 212: / Line 238: @@
 | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser24 W3C Validator]
 | {{tidy-html|page=MediaWiki/Parser24}}
-| bgcolor=red | Yes.
+| <s>Yes</s> No.
+|
 | No.
-| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035811.html Allows User-specified JavaScript Execution]. Currently unavailable, will be restored in a few days.
+| <s>[http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035811.html Allows User-specified JavaScript Execution].</s> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 |-
 | [[MediaWiki/Parser25]]
@@ Line 220: / Line 247: @@
 | [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser25 W3C Validator]
 | {{tidy-html|page=MediaWiki/Parser25}}
-| bgcolor=red | Yes.
+| <s>Yes</s> No.
+|
 | No.
-| [http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035812.html Allows User-specified JavaScript Execution]. [http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035814.html Now fixed in trunk]. Currently unavailable, will be restored in a few days.
+| <s>[http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035812.html Allows User-specified JavaScript Execution].</s> [http://mail.wikipedia.org/pipermail/wikitech-l/2006-May/035814.html Security aspects fixed in 1.6.6], although still fails W3C Validation.
+|-
+| [[MediaWiki/Parser25-variant1]]
+| [[Special:Export/MediaWiki/Parser25-variant1|Export Wiki Source]]
+| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser25-variant1 W3C Validator]
+| {{tidy-html|page=MediaWiki/Parser25-variant1}}
+| <s>Yes</s> No.
+|
+| No.
+| <s>Allows User-specified JavaScript Execution.</s> Security aspects fixed in 1.6.6, although still fails W3C Validation.
+|-
+| [[MediaWiki/Parser25-variant2]]
+| [[Special:Export/MediaWiki/Parser25-variant2|Export Wiki Source]]
+| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser25-variant2 W3C Validator]
+| {{tidy-html|page=MediaWiki/Parser25-variant2}}
+| <s>Yes</s> No.
+|
+| No.
+| <s>Allows User-specified JavaScript Execution.</s> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 |}
 ==Definition of Security Aspects==