User:CSteipp (WMF)/SecurityRelease 1.24.1

= thumb.php outputs wikitext message as raw html =


 * Bug: T76686
 * Affected Versions: ???-1.24.1 (introduced in, fixed in )
 * Type: Security Hardening
 * CVE:
 * Credit: Krinkle

Background:

Issues: The badtitletext message could allow a malicious admin to add a malicious script to mediawiki in a way that is unlikely to be noticed by other administrators.

Fix: Parse the error message instead of outputting the raw message in thumb.php

= Malicious site can bypass CORS restrictions in $wgCrossSiteAJAXdomains =


 * Bug: T77028
 * Affected Versions: ???-1.24.1 (introduced in, fixed in )
 * Type: Improper Authorization / CWE-285
 * CVE:
 * Credit: BJorsh (WMF)

Background: Responding with valid CORS headers from another domain can be restricted to a list of domains, set in the array $wgCrossSiteAJAXdomains. The list can include wildcard domains, to include all subdomains of a single domain.

Issues: The wildcard regex to test if a domain was included on the list only checked that the string in $wgCrossSiteAJAXdomains was contained in the requesting site's name, instead of checking that the requesting site was a subdomain.

Fix: Parse the error message instead of outputting the raw message in thumb.php