From: Jeff King <peff@peff.net>
To: Drew Northup <n1xim.email@gmail.com>
Cc: glpk xypron <xypron.glpk@gmx.de>,
git@vger.kernel.org, jnareb@gmail.com,
Junio C Hamano <gitster@pobox.com>
Subject: Re: [BUG] gitweb: XSS vulnerability of RSS feed
Date: Mon, 12 Nov 2012 15:24:13 -0500 [thread overview]
Message-ID: <20121112202413.GD4623@sigill.intra.peff.net> (raw)
In-Reply-To: <CAM9Z-n=6xsC7yiKJ+NU-CxNPxEXWmJzvXLUocgZgWPQnuK6G4Q@mail.gmail.com>
On Mon, Nov 12, 2012 at 01:55:46PM -0500, Drew Northup wrote:
> On Sun, Nov 11, 2012 at 6:28 PM, glpk xypron <xypron.glpk@gmx.de> wrote:
> > Gitweb can be used to generate an RSS feed.
> >
> > Arbitrary tags can be inserted into the XML document describing
> > the RSS feed by careful construction of the URL.
> [...]
> Something like this may be useful to defuse the "file" parameter, but
> I presume a more definitive fix is in order...
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 10ed9e5..af93e65 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -1447,6 +1447,10 @@ sub validate_pathname {
> if ($input =~ m!\0!) {
> return undef;
> }
> + # No XSS <script></script> inclusions
> + if ($input =~ m!(<script>)(.*)(</script>)!){
> + return undef;
> + }
> return $input;
> }
This is the wrong fix for a few reasons:
1. It is on the input-validation side, whereas the real problem is on
the output-quoting side. Your patch means I could not access a file
called "<script>foo</script>". What we really want is to have the
unquoted name internally, but then make sure we quote it when
outputting as part of an HTML (or XML) file.
2. Script tags are only part of the problem. They are what make it
obviously a security vulnerability, but it is equally incorrect for
us to show the filename "<b>foo</b>" as bold. I would also not be
surprised if there are other cross-site attacks one can do without
using <script>.
3. Your filter is too simplistic. At the very least, it would not
filter out "<SCRIPT>". I am not up to date on all of the
sneaking-around-HTML-filters attacks that are available these days,
but I wonder if one could also get around it using XML entities or
similar.
I think the right answer is going to be a well-placed call to esc_html.
This already happens automatically when we go through the CGI
element-building functions, but obviously we failed to make the call
when building the output manually. This is a great reason why template
languages which default to safe expansion should always be used.
Unfortunately, gitweb is living in 1995 in terms of web frameworks.
-Peff
next prev parent reply other threads:[~2012-11-12 20:24 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-11 23:28 [BUG] gitweb: XSS vulnerability of RSS feed glpk xypron
2012-11-12 18:55 ` Drew Northup
2012-11-12 20:24 ` Jeff King [this message]
2012-11-12 20:27 ` Jeff King
2012-11-12 20:36 ` Junio C Hamano
2012-11-12 21:13 ` Jakub Narębski
2012-11-12 21:34 ` Jeff King
2012-11-13 14:44 ` Drew Northup
2012-11-13 15:19 ` Jakub Narębski
2012-11-13 15:45 ` Kevin
2012-11-13 15:57 ` Jakub Narębski
2012-11-13 17:04 ` Jeff King
2012-11-13 17:22 ` Jakub Narębski
2012-11-12 23:09 ` Andreas Schwab
2012-11-13 8:31 ` Pyeron, Jason J CTR (US)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121112202413.GD4623@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jnareb@gmail.com \
--cc=n1xim.email@gmail.com \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).