[om-infra] [MediaWiki-announce] Parsoid Security Update and Release

Subramanya Sastry ssastry at wikimedia.org
Tue Nov 1 14:40:42 EDT 2016


The parsing team has fixed a security bug in Parsoid [1].

* Users could send invalid prefixes, formats, or domains and run
   javascript code on the error page that Parsoid displayed.

* This fix has been applied to the Wikimedia cluster [2] and also merged
   into Parsoid master [1].

* We have also released a 0.5.3 deb version with this patch applied. [3]

* We have also released a 0.5.3 npm version of Parsoid. [4]

* Parsoid is a stateless service and doesn't retain any state between
   requests. In private wikis, VisualEditor can be configured to
   forward the user cookie to Parsoid to pass along to the MediaWiki API
   to parse a page, but this exploit is not exposed through VE.

   In addition, Parsoid doesn't receive any user credentials on
   public wikis.

* However, if a wiki's Parsoid service is publicly accessible on the
   internet *and* is accessible through the wiki's domain, then, this
   exploit can be used to leak user cookies for that wiki. For all wikis
   that use Parsoid in this fashion, we recommend they patch their
   Parsoid installation immediately.

* On the Wikimedia cluster, Parsoid is proxied behind RESTBase and is
   not public accessible and as such, this exploit wasn't available for
   an exploit to steal user sessions.

Thanks to the reporter of this exploit, Darian Patrick from the
Security Team, Arlo Breault from the Parsing Team, Daniel Zahn and
others from Ops for their assistance handling this bug and preparing
this release.

Subramanya Sastry,
Technical Lead and Manager,
Parsing Team,
Wikimedia Foundation.


[1] https://gerrit.wikimedia.org/r/#/c/319115
[2] 
https://www.mediawiki.org/wiki/Parsoid/Deployments#Monday.2C_October_31.2C_2016_around_1:15_PT:_Y.C2.A0Deployed_e503e801
[3] https://releases.wikimedia.org/debian/pool/main/p/parsoid/
[4] https://www.npmjs.com/package/parsoid


_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce


More information about the OM-Infra mailing list