From: Joey Hess Date: Sun, 10 Feb 2008 18:22:25 +0000 (-0500) Subject: cherry-pick uri security fix X-Git-Tag: 2.31.1~1 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/df512e55dfbbb912cdf4aee5db48622301bb29ac?ds=inline cherry-pick uri security fix --- diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index bc613f924..25caa8a50 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -18,6 +18,28 @@ my $_scrubber; sub scrubber { #{{{ return $_scrubber if defined $_scrubber; + # Only known uri schemes are allowed to avoid all the ways of + # embedding javascrpt. + # List at http://en.wikipedia.org/wiki/URI_scheme + my $uri_schemes=join("|", + # IANA registered schemes + "http", "https", "ftp", "mailto", "file", "telnet", "gopher", + "aaa", "aaas", "acap", "cap", "cid", "crid", + "dav", "dict", "dns", "fax", "go", "h323", "im", "imap", + "ldap", "mid", "news", "nfs", "nntp", "pop", "pres", + "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp", + "z39.50r", "z39.50s", + # data is a special case. Allow data:text/, but + # disallow data:text/javascript and everything else. + qr/data:text\/(?:png|gif|jpeg)/, + # Selected unofficial schemes + "about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg", + "irc", "ircs", "lastfm", "ldaps", "magnet", "mms", + "msnim", "notes", "rsync", "secondlife", "skype", "ssh", + "sftp", "sms", "steam", "webcal", "ymsgr", + ); + my $link=qr/^(?:$uri_schemes:|[^:]+$)/i; + eval q{use HTML::Scrubber}; error($@) if $@; # Lists based on http://feedparser.org/docs/html-sanitization.html @@ -35,23 +57,27 @@ sub scrubber { #{{{ }], default => [undef, { ( map { $_ => 1 } qw{ - abbr accept accept-charset accesskey action + abbr accept accept-charset accesskey align alt axis border cellpadding cellspacing char charoff charset checked cite class clear cols colspan color compact coords datetime dir disabled enctype for frame - headers height href hreflang hspace id ismap + headers height hreflang hspace id ismap label lang longdesc maxlength media method multiple name nohref noshade nowrap prompt readonly rel rev rows rowspan rules scope - selected shape size span src start summary + selected shape size span start summary tabindex target title type usemap valign value vspace width - poster autoplay loopstart loopend end + autoplay loopstart loopend end playcount controls } ), "/" => 1, # emit proper
XHTML - }], + href => $link, + src => $link, + action => $link, + poster => $link, + }], ); return $_scrubber; } # }}} diff --git a/debian/changelog b/debian/changelog index b21cdb441..8683bbc1f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ikiwiki (2.31.1) unstable; urgency=low + + * htmlscrubber security fix: Block javascript in uris. + * Add htmlscrubber test suite. + + -- Joey Hess Sun, 10 Feb 2008 13:21:35 -0500 + ikiwiki (2.31) unstable; urgency=low [ Joey Hess ] diff --git a/doc/plugins/htmlscrubber.mdwn b/doc/plugins/htmlscrubber.mdwn index 6ce297a86..d7bcf8099 100644 --- a/doc/plugins/htmlscrubber.mdwn +++ b/doc/plugins/htmlscrubber.mdwn @@ -36,3 +36,4 @@ plugin is active: * CSS script test * entity-encoded CSS script test * entity-encoded CSS script test +* click me diff --git a/t/htmlize.t b/t/htmlize.t index a9ccfedcb..edf357010 100755 --- a/t/htmlize.t +++ b/t/htmlize.t @@ -1,7 +1,7 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 4; +use Test::More tests => 26; use Encode; BEGIN { use_ok("IkiWiki"); } @@ -19,3 +19,52 @@ is(IkiWiki::htmlize("foo", "mdwn", readfile("t/test1.mdwn")), "utf8; bug #373203"); ok(IkiWiki::htmlize("foo", "mdwn", readfile("t/test2.mdwn")), "this file crashes markdown if it's fed in as decoded utf-8"); + +sub gotcha { + my $html=IkiWiki::htmlize("foo", "mdwn", shift); + return $html =~ /GOTCHA/; +} +ok(!gotcha(q{click me}), + "javascript url"); +ok(!gotcha(q{click me}), + "partially encoded javascript url"); +ok(!gotcha(q{click me}), + "jscript url"); +ok(!gotcha(q{click me}), + "vbscrpt url"); +ok(!gotcha(q{click me}), + "java-tab-script url"); +ok(!gotcha(q{foo}), + "entity-encoded CSS script test"); +ok(!gotcha(q{foo}), + "another entity-encoded CSS script test"); +ok(!gotcha(q{}), + "script tag"); +ok(!gotcha(q{
foo
}), + "form action with javascript"); +ok(!gotcha(q{}), + "video poster with javascript"); +ok(!gotcha(q{a}), + "CSS script test"); +ok(! gotcha(q{}), + "data:text/javascript (jeez!)"); +ok(gotcha(q{}), "data:text/png"); +ok(gotcha(q{}), "data:text/gif"); +ok(gotcha(q{}), "data:text/jpeg"); +ok(gotcha(q{

javascript:alert('GOTCHA')

}), + "not javascript AFAIK (but perhaps some web browser would like to + be perverse and assume it is?)"); +ok(gotcha(q{}), "not javascript"); +ok(gotcha(q{foo}), "not javascript"); +is(IkiWiki::htmlize("foo", "mdwn", + q{foo}), + q{foo}, "img with alt tag allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{}), + q{}, "absolute url allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{}), + q{}, "relative url allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{bar}), + q{bar}, "class attribute allowed");