From 2451894c4569c0a3974ea3d729c9da8f408ad109 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 10 Feb 2008 13:36:17 -0500 Subject: [PATCH] backport htmlscrubber javascript uri sanitisation fix from master --- IkiWiki/Plugin/htmlscrubber.pm | 31 +++++++++++++++++++-- debian/changelog | 7 +++++ doc/plugins/htmlscrubber.mdwn | 8 ++++++ t/htmlize.t | 51 +++++++++++++++++++++++++++++++++- 4 files changed, 93 insertions(+), 4 deletions(-) diff --git a/IkiWiki/Plugin/htmlscrubber.pm b/IkiWiki/Plugin/htmlscrubber.pm index ae3ec4456..c4a0d60af 100644 --- a/IkiWiki/Plugin/htmlscrubber.pm +++ b/IkiWiki/Plugin/htmlscrubber.pm @@ -18,6 +18,28 @@ my $_scrubber; sub scrubber { #{{{ return $_scrubber if defined $_scrubber; + # Only known uri schemes are allowed to avoid all the ways of + # embedding javascrpt. + # List at http://en.wikipedia.org/wiki/URI_scheme + my $uri_schemes=join("|", + # IANA registered schemes + "http", "https", "ftp", "mailto", "file", "telnet", "gopher", + "aaa", "aaas", "acap", "cap", "cid", "crid", + "dav", "dict", "dns", "fax", "go", "h323", "im", "imap", + "ldap", "mid", "news", "nfs", "nntp", "pop", "pres", + "sip", "sips", "snmp", "tel", "urn", "wais", "xmpp", + "z39.50r", "z39.50s", + # data is a special case. Allow data:text/, but + # disallow data:text/javascript and everything else. + qr/data:text\/(?:png|gif|jpeg)/, + # Selected unofficial schemes + "about", "aim", "callto", "cvs", "ed2k", "feed", "fish", "gg", + "irc", "ircs", "lastfm", "ldaps", "magnet", "mms", + "msnim", "notes", "rsync", "secondlife", "skype", "ssh", + "sftp", "sms", "steam", "webcal", "ymsgr", + ); + my $link=qr/^(?:$uri_schemes:|[^:]+$)/i; + eval q{use HTML::Scrubber}; error($@) if $@; # Lists based on http://feedparser.org/docs/html-sanitization.html @@ -32,19 +54,22 @@ sub scrubber { #{{{ tfoot th thead tr tt u ul var }], default => [undef, { map { $_ => 1 } qw{ - abbr accept accept-charset accesskey action + abbr accept accept-charset accesskey align alt axis border cellpadding cellspacing char charoff charset checked cite class clear cols colspan color compact coords datetime dir disabled enctype for frame - headers height href hreflang hspace id ismap + headers height hreflang hspace id ismap label lang longdesc maxlength media method multiple name nohref noshade nowrap prompt readonly rel rev rows rowspan rules scope - selected shape size span src start summary + selected shape size span start summary tabindex target title type usemap valign value vspace width }, "/" => 1, # emit proper
XHTML + href => $link, + src => $link, + action => $link, }], ); return $_scrubber; diff --git a/debian/changelog b/debian/changelog index 027785277..4776e1461 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ikiwiki (1.33.4) testing-proposed-updates; urgency=medium + + * htmlscrubber security fix: Block javascript in uris. + * Add htmlscrubber test suite. + + -- Joey Hess Sun, 10 Feb 2008 13:34:28 -0500 + ikiwiki (1.33.3) testing-proposed-updates; urgency=medium * Fix a security hole that allowed insertion of unsafe content via the meta diff --git a/doc/plugins/htmlscrubber.mdwn b/doc/plugins/htmlscrubber.mdwn index e3652a847..144594659 100644 --- a/doc/plugins/htmlscrubber.mdwn +++ b/doc/plugins/htmlscrubber.mdwn @@ -29,6 +29,14 @@ browser. Some examples of embedded javascript that won't be let through when this plugin is active: +<<<<<<< HEAD:doc/plugins/htmlscrubber.mdwn * test * test * test +======= +* script tag test +* CSS script test +* entity-encoded CSS script test +* entity-encoded CSS script test +* click me +>>>>>>> d7e0c03... * htmlscrubber security fix: Block javascript in uris.:doc/plugins/htmlscrubber.mdwn diff --git a/t/htmlize.t b/t/htmlize.t index a9ccfedcb..edf357010 100755 --- a/t/htmlize.t +++ b/t/htmlize.t @@ -1,7 +1,7 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 4; +use Test::More tests => 26; use Encode; BEGIN { use_ok("IkiWiki"); } @@ -19,3 +19,52 @@ is(IkiWiki::htmlize("foo", "mdwn", readfile("t/test1.mdwn")), "utf8; bug #373203"); ok(IkiWiki::htmlize("foo", "mdwn", readfile("t/test2.mdwn")), "this file crashes markdown if it's fed in as decoded utf-8"); + +sub gotcha { + my $html=IkiWiki::htmlize("foo", "mdwn", shift); + return $html =~ /GOTCHA/; +} +ok(!gotcha(q{click me}), + "javascript url"); +ok(!gotcha(q{click me}), + "partially encoded javascript url"); +ok(!gotcha(q{click me}), + "jscript url"); +ok(!gotcha(q{click me}), + "vbscrpt url"); +ok(!gotcha(q{click me}), + "java-tab-script url"); +ok(!gotcha(q{foo}), + "entity-encoded CSS script test"); +ok(!gotcha(q{foo}), + "another entity-encoded CSS script test"); +ok(!gotcha(q{}), + "script tag"); +ok(!gotcha(q{
foo
}), + "form action with javascript"); +ok(!gotcha(q{}), + "video poster with javascript"); +ok(!gotcha(q{a}), + "CSS script test"); +ok(! gotcha(q{}), + "data:text/javascript (jeez!)"); +ok(gotcha(q{}), "data:text/png"); +ok(gotcha(q{}), "data:text/gif"); +ok(gotcha(q{}), "data:text/jpeg"); +ok(gotcha(q{

javascript:alert('GOTCHA')

}), + "not javascript AFAIK (but perhaps some web browser would like to + be perverse and assume it is?)"); +ok(gotcha(q{}), "not javascript"); +ok(gotcha(q{foo}), "not javascript"); +is(IkiWiki::htmlize("foo", "mdwn", + q{foo}), + q{foo}, "img with alt tag allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{}), + q{}, "absolute url allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{}), + q{}, "relative url allowed"); +is(IkiWiki::htmlize("foo", "mdwn", + q{bar}), + q{bar}, "class attribute allowed"); -- 2.26.2