Difference between revisions of "MediaWiki"

From Nick Jenkins
Jump to: navigation, search
m (+licensing.)
(list new tests)
Line 266: Line 266:
 
| No.
 
| No.
 
| <s>Allows User-specified JavaScript Execution.</s> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 
| <s>Allows User-specified JavaScript Execution.</s> Security aspects fixed in 1.6.6, although still fails W3C Validation.
 +
|-
 +
| [[MediaWiki/Parser26]]
 +
| [[Special:Export/MediaWiki/Parser26|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser26 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser26}}
 +
| <s>Yes</s> No.
 +
|
 +
| <s>Yes</s> No.
 +
| Attribute injection in Cite extension fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015380.html r14400], and visual aspects fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015379.html r14399]
 +
|-
 +
| <s>[[MediaWiki/Parser27]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser27|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser27 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser27}}</s>
 +
| No.
 +
|
 +
| No.
 +
| PHP warning, fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015460.html r14480].
 +
|-
 +
| [[MediaWiki/Parser28]]
 +
| [[Special:Export/MediaWiki/Parser28|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser28 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser28}}
 +
| bgcolor=yellow | Yes.
 +
|
 +
| No.
 +
| Limited attribute injection using Sort extension + another extension (References in this example).<br />(Note: References extension not installed on this wiki).
 +
|-
 +
| [[MediaWiki/Parser28-variant1]]
 +
| [[Special:Export/MediaWiki/Parser28-variant1|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser28-variant1 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser28-variant1}}
 +
| bgcolor=yellow | Yes.
 +
|
 +
| No.
 +
| Limited attribute injection using Sort extension + another extension (Math in this example).<br />(Note: Math extension not installed on this wiki).
 +
|-
 +
| <s>[[MediaWiki/Parser29]]</s>
 +
| <s>[[Special:Export/MediaWiki/Parser29|Export Wiki Source]]</s>
 +
| <s>[http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser29 W3C Validator]</s>
 +
| <s>{{tidy-html|page=MediaWiki/Parser29}}</s>
 +
| No.
 +
|
 +
| No.
 +
| Invalid <left> tag on bad timeline extension input. Fixed in [http://mail.wikipedia.org/pipermail/mediawiki-cvs/2006-May/015455.html r14475].<br />(Note: Timeline extension not installed on this wiki).
 +
|-
 +
| [[MediaWiki/Parser30]]
 +
| [[Special:Export/MediaWiki/Parser30|Export Wiki Source]]
 +
| [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser30 W3C Validator]
 +
| {{tidy-html|page=MediaWiki/Parser30}}
 +
| No.
 +
|
 +
| No.
 +
| Invalid <left> tag on bad timeline extension input. (Note: Timeline extension not installed on this wiki).
 +
|-
 +
| <!-- [[MediaWiki/Parser31]] -->
 +
| <!-- [[Special:Export/MediaWiki/Parser31|Export Wiki Source]] -->
 +
| <!-- [http://validator.w3.org/check?uri=http://nickj.org/MediaWiki/Parser31 W3C Validator] -->
 +
| <!-- {{tidy-html|page=MediaWiki/Parser31}} -->
 +
| bgcolor=yellow | Yes.
 +
|
 +
| No.
 +
| Limited attribute injection using one extension + another extension. Wiki text not released yet.
 
|}
 
|}
  

Revision as of 08:04, 31 May 2006

Various MediaWiki 1.6.6 parser tests, that fail HTML validation. There is a MediaWiki bug report covering this. These were all found by fuzz testing of MediaWiki, using a modified PHP port of the Python port of mangleme. The source code is available, although the version now in the MediaWiki trunk is probably more current (changelog). Lastly, all the MediaWiki tests listed below are released into the public domain, and as such you're welcome to incorporate them into any software you like, under any license you like.


Test Wiki Source Validate HTML Tidy HTML Security
aspects?
Fixed in Visible
Artefacts?
Notes and any extra info.
MediaWiki/Parser1 Export Wiki Source W3C Validator Tidy HTML No Yes Stikes out almost all text. Explanation for this + Parser1-hidden + Parser2 + Parser3 + Parser4 + Parser5.
MediaWiki/Parser1-hidden Export Wiki Source W3C Validator Tidy HTML No Yes Hides almost all text, which also makes all page links unavailable.
MediaWiki/Parser2 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser3 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser4 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser5 Export Wiki Source W3C Validator Tidy HTML No Yes Shrinks font, moves the top page action links up about 5 pixels and left about 10 pixels.
MediaWiki/Parser6 Export Wiki Source W3C Validator Tidy HTML No Yes Shrinks font, moves the left navigation bar down about 160 pixels, strikes out almost all text.
MediaWiki/Parser7 Export Wiki Source W3C Validator Tidy HTML No 1.6.1 No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser8 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser9 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser10 Export Wiki Source W3C Validator Tidy HTML No No
MediaWiki/Parser11 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Explanation. Security aspects fixed in 1.6.1, although still fails W3C Validation.
MediaWiki/Parser12 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Explanation. Security aspects fixed in 1.6.1, although still fails W3C Validation.
MediaWiki/Parser13 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 No. sDrops the '<a href="xxx' string. Explanation for this + Parser14 + Parser14-table. Completely fixed in 1.6.6.
MediaWiki/Parser14 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 Yes No. TOC insertion Completely fixed in 1.6.6.
MediaWiki/Parser14-table Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 Yes No. TOC insertion Completely fixed in 1.6.6.
MediaWiki/Parser15 Export Wiki Source W3C Validator Tidy HTML No No. Generates Tidy error due to <caption> tags out of order. As of 1.6.1 just fails validation.
MediaWiki/Parser16 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Generates Tidy error due to <th> tags out of order. As of 1.6.1, dropped the '<a href="xxx' string.
Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser17 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.1 No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser18 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.1 No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser19 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.1 No. Completely fixed in 1.6.1 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser20 Export Wiki Source W3C Validator Tidy HTML No No. Nowiki allows malformed URI (e.g. generates multi-line hrefs). Passes W3C validation, but tidy gives warnings, and the
links don't act like normal links (in Firefox, at least) - clicking on them does nothing.
MediaWiki/Parser21 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 No. Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser22 Export Wiki Source W3C Validator Tidy HTML Yes No. 1.6.6 No. Double links injection. Completely fixed in 1.6.6 - valid HTML, no artefacts, no tidy errors.
MediaWiki/Parser23 Export Wiki Source W3C Validator Tidy HTML No. No. Pre allows malformed URI. Fails validation (unlike nowiki).
MediaWiki/Parser24 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Allows User-specified JavaScript Execution. Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Allows User-specified JavaScript Execution. Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25-variant1 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Allows User-specified JavaScript Execution. Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser25-variant2 Export Wiki Source W3C Validator Tidy HTML Yes No. No. Allows User-specified JavaScript Execution. Security aspects fixed in 1.6.6, although still fails W3C Validation.
MediaWiki/Parser26 Export Wiki Source W3C Validator Tidy HTML Yes No. Yes No. Attribute injection in Cite extension fixed in r14400, and visual aspects fixed in r14399
MediaWiki/Parser27 Export Wiki Source W3C Validator Tidy HTML No. No. PHP warning, fixed in r14480.
MediaWiki/Parser28 Export Wiki Source W3C Validator Tidy HTML Yes. No. Limited attribute injection using Sort extension + another extension (References in this example).
(Note: References extension not installed on this wiki).
MediaWiki/Parser28-variant1 Export Wiki Source W3C Validator Tidy HTML Yes. No. Limited attribute injection using Sort extension + another extension (Math in this example).
(Note: Math extension not installed on this wiki).
MediaWiki/Parser29 Export Wiki Source W3C Validator Tidy HTML No. No. Invalid <left> tag on bad timeline extension input. Fixed in r14475.
(Note: Timeline extension not installed on this wiki).
MediaWiki/Parser30 Export Wiki Source W3C Validator Tidy HTML No. No. Invalid <left> tag on bad timeline extension input. (Note: Timeline extension not installed on this wiki).
Yes. No. Limited attribute injection using one extension + another extension. Wiki text not released yet.


Definition of Security Aspects

For the above table, "security aspect" is defined as anything that causes the start of a tag to be missing, or the end to be missing, or attributes of any type that should not be there to be injected. For example:

  • <p><td><s></p> would not be considered to have a security aspect because all the tags are appearing ok (are not malformed), although it is invalid HTML.
  • <a href="http://as<td></td><td class="external free"><p>user text here would be considered to have a security aspect because the "href" string is not properly terminated, and so the "external free" part is injected as attributes.
  • A string missing the start of a tag would also be considered to have a security aspect - e.g. <th>|||||" class="external free" title="https://||||||" rel="nofollow">https://</th> - because the <a href="xxx part has been cut off. Probably not exploitable - but certainly a worse category of bug than just getting tags in the wrong order.

So to sum up: if tags are just in the wrong order, but are otherwise complete and well-formed, then it is not a security issue; otherwise it is considered to potentially be, and is listed as "Yes" in the above table.