github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-09 14:48:01 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix protocol checking in sanitization [CVE-2013-1857]

Browse Source 
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
This commit is contained in:
Aaron Patterson
2013-03-15 15:04:00 -07:00
parent c0d06633f0
commit 99123ad12f
2 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb vendored
View File

@@ -66,7 +66,7 @@ module HTML
# A regular expression of the valid characters used to separate protocols like
# the ':' in 'http://foo.com'
self.protocol_separator = /:|(&#0*58)|(&#x70)|(%|%)3A/
self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i
# Specifies a Set of HTML attributes that can have URIs.
self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
@@ -171,7 +171,7 @@ module HTML
def contains_bad_protocols?(attr_name, value)
uri_attributes.include?(attr_name) &&
(value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
(value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
end
end
end

10
actionpack/test/template/html-scanner/sanitizer_test.rb
View File

@@ -176,6 +176,7 @@ class SanitizerTest < ActionController::TestCase
%(<IMG SRC="jav&#x0A;ascript:alert('XSS');">),
%(<IMG SRC="jav&#x0D;ascript:alert('XSS');">),
%(<IMG SRC=" &#14; javascript:alert('XSS');">),
%(<IMG SRC="javascript&#x3a;alert('XSS');">),
%(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
assert_sanitized img_hack, "<img>"
@@ -281,6 +282,15 @@ class SanitizerTest < ActionController::TestCase
assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
end
def test_x03a
assert_sanitized %(<a href="javascript&#x3a;alert('XSS');">), "<a>"
assert_sanitized %(<a href="javascript&#x003a;alert('XSS');">), "<a>"
assert_sanitized %(<a href="http&#x3a;//legit">), %(<a href="http://legit">)
assert_sanitized %(<a href="javascript&#x3A;alert('XSS');">), "<a>"
assert_sanitized %(<a href="javascript&#x003A;alert('XSS');">), "<a>"
assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
end
protected
def assert_sanitized(input, expected = nil)
@sanitizer ||= HTML::WhiteListSanitizer.new