You are here: Foswiki>Tasks Web>Item1963 (18 Nov 2009, PaulHarvey)Edit Attach

Item1963: Default Foswiki and SafeURIs config weaken SafeWikiPlugin

pencil
Priority: Low
Current State: Closed
Released In:
Target Release: n/a
Applies To: Extension
Component: SafeWikiPlugin
Branches:
Reported By: PaulHarvey
Waiting For: Main.PaulHarvey
Last Change By: PaulHarvey
As shipped, $Foswiki::cfg::{SafeWikiPlugin}{SafeURIs} allows any URI that begins with DefaultUrlHost, localhost, and /.

This allows anybody to attach a nasty .js, .css, etc. file containing any arbitrary CSS/JS they like, bypassing SafeWikiPlugin entirely.

As a proof of concept, I tested attaching a file named evil_js.txt to a topic, containing the following code:

$(document).ready(function() {
    window.location = "http://www.google.com.au/";
});

And I was able to execute it by embedding this into a Sandbox topic:

<script src="%ATTACHURLPATH%/evil_js.txt" type="text/javascript"></script>

Perhaps we can make the following change:

Index: SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec
===================================================================
--- SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec   (revision 4704)
+++ SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec   (working copy)
@@ -17,7 +17,7 @@
 # Array of perl regular expressions, one of which must be matched for
 # a URI used in a Foswiki page to be passed unfiltered. You can
 # use other Foswiki::cfg variables in the the strings here.
-$Foswiki::cfg{Plugins}{SafeWikiPlugin}{SafeURI} = ['^/','^http://localhost(:.*)?/','^$Foswiki::cfg{DefaultUrlHost}/'];
+$Foswiki::cfg{Plugins}{SafeWikiPlugin}{SafeURI} = ['^$Foswiki::cfg{PubUrlPath}/$Foswiki::cfg{SystemWebName}'];
 
 # **STRING 30**
 # String used to replace dodgy URIs. Can be a URI if you want.

Also, perhaps it would be best if SafeWikiPlugin stripped all <script> and <style> elements from the HTML body?

-- PaulHarvey - 24 Aug 2009

I'll try to make a Checker in configure that warns if URL includes are permitted. Stripping <script> tags to be worked on at Item8256.

-- PaulHarvey - 26 Aug 2009

This task fell off my radar. Will fix this in the next 48 hours.
  • Configure checker should warn if HTTP URL includes are allowed.
  • Configure checker should warn if FW is set to strip inline script tags in the body.
  • Configure checker should warn if SafeURI allows src paths other than /pub/System

-- PaulHarvey - 17 Sep 2009

Updated the regexes in Config.spec; still requires Paul's checker, tho. Priority dropped from Urgent to Low.

-- CrawfordCurrie - 17 Sep 2009

Added checkers for URL includes and AllowInlineScript.

I'll add another checker to warn about liberal SafeURI regexps later this month.

-- PaulHarvey - 18 Sep 2009

Now have sanity checks on SafeURI and UnsafeURI, but are only very basic...

-- PaulHarvey - 18 Nov 2009

ItemTemplate edit

Summary Default Foswiki and SafeURIs config weaken SafeWikiPlugin
ReportedBy PaulHarvey
Codebase trunk
SVN Range Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo Extension
Component SafeWikiPlugin
Priority Low
CurrentState Closed
WaitingFor PaulHarvey
Checkins SafeWikiPlugin:db990d0b545f SafeWikiPlugin:c6270b8843fa SafeWikiPlugin:33202f386ba7
TargetRelease n/a
ReleasedIn
Topic revision: r12 - 18 Nov 2009, PaulHarvey - This page was cached on 15 Jun 2017 - 14:47.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License