Page MenuHomePhabricator

Template parameters not substituted in HTML attributes [regression]
Closed, ResolvedPublic

Description

Author: bastique.bz

Description:
http://en.wikipedia.org/wiki/Tralee

Up until yesterday, we were able to position dots on maps using the template
field "pin_coords", which placed a "left: #; top: #" code into the DIV tag
for the tiny town graphic. Suddenly, on 6/3/05, this field no longer works.

We have already positioned quite a few towns using this now-disabled feature.
This feature also reduces the number of graphics; 2 for all towns in a single
county rather than one for each one. This ability should be restored.


Version: 1.4.x
Severity: normal
URL: http://en.wikipedia.org/wiki/Template:Ie_citytown_infobox

Details

Reference
bz2309

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 21 2014, 8:35 PM
bzimport set Reference to bz2309.
bzimport added a subscriber: Unknown Object (MLST).

This is caused by the fix to bug 2304, which is a major security vulnerability.

Allowing validated plaintext template/parameter substitutions in HTML attribute values with our
current parser architecture is theoretically possible, but will take some work to ensure that it
remains safe.

Also broken by this:
http://en.wikipedia.org/wiki/Template:Ref
http://en.wikipedia.org/wiki/Template:Note

I've done some work on this bug but need to check it over a bit to make sure I haven't reintroduced a vulnerability,
particularly on the 1.4 backport (where the HTML attribute validation code is pretty crappy). Will try to finish it up
tonight.

lowzl wrote:

I recently upgraded my MediaWiki installation to 1.4.5 - we've experienced this
problem on precisely one template at the moment. I suppose it is because no one
has edited the other ones using this technique yet.

Curiously, {{subst:xyz}} works, but {{xyz}} uses the inclusion guard.

Fix applied to CVS HEAD. Still working on REL1_4.

Fix applied to REL1_4 as well (Parser.php).

lowzl wrote:

Is there a specific patch we can apply now, or will there be a new release of
1.4 soon?

I can't release a 1.4.6 just now as there's an issue with upgrades and an unnecessary
but performance-enhancing index.

Here's the change for REL1_4:
http://cvs.sourceforge.net/viewcvs.py/wikipedia/phase3/includes/Parser.php?
r1=1.357.2.49&r2=1.357.2.50&diff_format=u

zigger wrote:

*** Bug 2743 has been marked as a duplicate of this bug. ***