Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes
History
C. Scott Ananian 94f193a894 SECURITY: Ensure emitted HTML is safe against Unicode NFC normalization 
CVE-2025-32699

Ensure that Unicode NFC normalization can be applied to our HTML
output safely.  Even though the W3C officially recommends against
normalizing HTML

https://www.w3.org/International/questions/qa-html-css-normalization#converting

this is still easily done inadvertently, especially when using the
MediaWiki action API which normalizes parameters and results by
default.

See also I671648603c4635a35585c860b4857f5ea085e47f in Parsoid, and
T266140 / I2e78e660ba1867744e34eda7d00ea527ec016b71 for another similar
issue.

The following changes are made:

* The various HTML serializers (Remex/Tidy-derived, as well as the
  Html::* helpers) are tweaked to entity-escape U+0338 wherever it
  appears.

* Similarly, Message::escaped() is tweaked to entity-escape U+0338.

* Finally, a post-processing pass is added to the OutputTransform
  pipeline to catch any remaining U+0338 and entity-escape them.
  This catches U+0338 added during any of the previous OutputTransform
  stages (like TOC insertion, section edit links, etc).
  *When backporting* this code will likely need to be moved to
  ParserOutput::getText(), as the OutputTransform pipeline wasn't added
  until MW 1.42.

Bug: T387130
Change-Id: I66564e14e730f5393f4fa5780b80f24de6075af5
2025-04-10 15:56:06 +01:00
..
actions Apply proper restrictions on file revert action 2025-03-24 12:55:44 +00:00
api Merge "block: Fix DBS::acquireTarget() race using GET_LOCK()" into REL1_43 2025-04-08 23:04:22 +00:00
auth ButtonAuthenticationRequest: Add AllowDynamicProperties directive 2024-12-12 21:45:31 +00:00
block block: Fix DBS::acquireTarget() race using GET_LOCK() 2025-04-07 11:43:34 +00:00
cache Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
Category Remove meaningless @var documentation from constants 2024-10-09 09:33:12 +02:00
changetags ChangeTags: Optimize label and description parsing 2025-04-03 18:24:46 +01:00
collation Use namespaced classes 2024-10-21 20:41:20 +02:00
CommentFormatter Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
CommentStore Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
composer In .htaccess deny files, use "Satisfy All" 2025-04-04 13:17:15 +00:00
config
content Merge "Use explicit nullable type on parameter arguments" 2024-10-16 23:10:14 +00:00
context Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
dao
db Merge "CloneDatabase: Remove debug logging" 2024-10-17 23:38:11 +00:00
debug Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
deferred Fix GREATEST usage in site_stats 2025-03-20 15:48:17 +00:00
diff Use namespaced classes 2024-10-21 20:41:20 +02:00
edit parser: Gracefully handle invalid ParsoidRenderID keys 2025-02-04 14:54:31 +00:00
editpage PermissionManager: Differentiate between cascading protection of file content and file pages 2025-03-24 13:31:34 +00:00
exception HttpError: Cast Message to string 2025-03-11 21:58:06 +00:00
export Use namespaced classes 2024-10-21 20:41:20 +02:00
ExternalLinks ExternalLinks: fix mailto: links reversal 2025-02-28 16:33:54 +00:00
externalstore Use namespaced classes 2024-10-21 20:41:20 +02:00
Feed FeedItem: Update @since on xmlEncodeNullable for backports 2025-02-21 03:53:56 +00:00
filebackend filebackend: Check for old alias in FileBackendMultiWrite 2024-10-22 01:32:54 +02:00
filerepo Fix img_auth message logic 2024-11-14 01:05:30 +00:00
gallery Use namespaced classes 2024-10-21 20:41:20 +02:00
historyblob
Hook
HookContainer WhatLinksHere: Allow extensible filters 2024-10-21 14:27:53 +05:30
Html SECURITY: Ensure emitted HTML is safe against Unicode NFC normalization 2025-04-10 15:56:06 +01:00
htmlform htmlform: Allow MessageParam on HTMLForm::addButton for label-message 2024-10-26 23:12:51 +00:00
http Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
import Use namespaced classes 2024-10-21 20:41:20 +02:00
installer Localisation updates from https://translatewiki.net. 2025-04-08 07:34:00 +02:00
interwiki Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
jobqueue RefreshLinksJob: Don't retry job if "Revision x is not current" is returned 2024-11-19 16:08:11 +00:00
json Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
language LanguageConverter: Only set mTablesLoaded once they're really loaded 2025-04-08 08:34:42 +00:00
languages Add Central Kanuri (knc), deprecate Kanuri (kr) 2024-10-20 19:18:46 +00:00
libs In .htaccess deny files, use "Satisfy All" 2025-04-04 13:17:15 +00:00
linkeddata
linker Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
logging SECURITY: Fix log entry search revealing suppressed data to users with 'deletedhistory' rights 2025-04-10 15:56:06 +01:00
mail Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
media FormatMetadata: Prevent running preg_match() on null 2025-01-28 12:05:59 +00:00
Message SECURITY: Ensure emitted HTML is safe against Unicode NFC normalization 2025-04-10 15:56:06 +01:00
Navigation
objectcache Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
Output Skin: [BREAKING CHANGE] Remove support for rendering outside body element 2024-10-30 15:18:51 +00:00
OutputTransform SECURITY: Ensure emitted HTML is safe against Unicode NFC normalization 2025-04-10 15:56:06 +01:00
page Use namespaced classes 2024-10-21 20:41:20 +02:00
pager ContributionsPager: Fix getTemplateParams() parameter 2024-10-25 13:52:47 +00:00
ParamValidator/TypeDef
parser SECURITY: Ensure emitted HTML is safe against Unicode NFC normalization 2025-04-10 15:56:06 +01:00
password Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
Permissions RestrictionStore: Remove short-circuit mode when fetching cascading sources 2025-04-09 13:25:44 +00:00
poolcounter objectcache: Move RedisConnRef.php to /libs/objectcache/ 2024-11-07 08:40:54 +00:00
preferences Add explanation text for "Allow emails from brand-new users" 2025-02-21 22:34:44 +00:00
profiler Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
recentchanges objectcache: Move RedisConnRef.php to /libs/objectcache/ 2024-11-07 08:40:54 +00:00
registration Remove meaningless @var documentation from constants 2024-10-09 09:33:12 +02:00
RenameUser
Request Request: Improve log message when headers already sent 2025-03-10 15:12:31 +00:00
ResourceLoader resourceloader: Fix hash computation for virtual files with versionFilePath 2025-01-29 21:26:20 +00:00
Rest REST: Remove unused setUseParserCache() as potential footgun 2025-04-05 11:35:48 +00:00
Revision Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
revisiondelete RevDelList: Ensure setVisibility always includes itemStatuses in value if applicable 2025-03-08 01:53:49 +00:00
revisionlist
search Use namespaced classes 2024-10-21 20:41:20 +02:00
session session: Do not set session.use_trans_sid 2025-01-06 22:12:05 +00:00
Settings Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
shell FileRepo: Add support for the new Shellbox large file feature 2024-10-29 02:50:07 +00:00
site
SiteStats
skins Merge "Hard deprecate soft deprecated skin methods" into REL1_43 2024-11-13 00:27:38 +00:00
sparql
specialpage specialpage: Improve handling of invalid lang codes on login/signup 2025-01-29 16:04:57 +00:00
specials Reject temporary account usernames on Special:PasswordReset 2024-11-18 14:35:28 +00:00
Status Make Message and MessageValue compatible 2024-10-19 15:00:07 +02:00
Storage Merge "Use explicit nullable type on parameter arguments" 2024-10-16 23:10:14 +00:00
StubObject
templates img_auth: Output lang and dir in HTTP and HTML on error message 2024-10-29 15:18:52 +00:00
tidy SECURITY: Ensure emitted HTML is safe against Unicode NFC normalization 2025-04-10 15:56:06 +01:00
title Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
upload upload: Suppress warnings from iconv() 2025-03-18 00:28:14 +00:00
user Avoid trying to load the session user in MW_NO_SESSION endpoints 2025-03-11 00:28:38 +00:00
utils Remove CryptHKDF and MWCryptHKDF 2024-11-10 22:49:37 -05:00
watchlist Merge "Use explicit nullable type on parameter arguments" 2024-10-16 23:10:14 +00:00
widget
WikiMap Merge "Fix typos in WikiMap doc comments" 2024-10-10 18:30:09 +00:00
xml Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
.htaccess In .htaccess deny files, use "Satisfy All" 2025-04-04 13:17:15 +00:00
AutoLoader.php AutoLoader: Use require_once rather than require 2024-10-24 01:36:18 +00:00
BootstrapHelperFunctions.php
config-schema.php DnsBlacklistUrls: Remove sorbs.net 2025-01-06 22:57:01 +00:00
DefaultSettings.php
Defines.php Prep 1.43.0 2024-12-20 17:36:14 +03:00
DevelopmentSettings.php Tests: Split log files by parallel grouping 2024-10-10 12:47:00 +00:00
EntryPointEnvironment.php
GlobalFunctions.php Deprecate wfArrayDiff2() 2024-11-04 19:34:41 +00:00
MainConfigNames.php Remove CryptHKDF and MWCryptHKDF 2024-11-10 22:49:37 -05:00
MainConfigSchema.php DnsBlacklistUrls: Remove sorbs.net 2025-01-06 22:57:01 +00:00
MediaWiki.php
MediaWikiEntryPoint.php
MediaWikiServices.php Remove CryptHKDF and MWCryptHKDF 2024-11-10 22:49:37 -05:00
PHPVersionCheck.php Bump PHPVersionCheck & composer expected PHP versions to 8.1.0 2024-10-25 19:56:22 -04:00
ServiceWiring.php Remove CryptHKDF and MWCryptHKDF 2024-11-10 22:49:37 -05:00
Setup.php Use namespaced classes 2024-10-21 20:41:20 +02:00
SetupDynamicConfig.php Switch over a bunch of class_alias uses to actuals 2024-10-03 17:09:36 +00:00
WebStart.php