Opened 14 years ago
Closed 14 years ago
#7239 closed defect (fixed)
serious concerns related to use of HTML generator with potentially insecure input
| Reported by: | Steffen Hoffmann | Owned by: | Steffen Hoffmann |
|---|---|---|---|
| Priority: | high | Component: | WikiTicketCalendarMacro |
| Severity: | blocker | Keywords: | security precaution HTML input unsanitized |
| Cc: | Ryan J Ollos | Trac Release: | 0.11 |
Description
Is it still save for your use case to use WikiTicketCalendarMacro in it's current state?
I'm sorry for the inconvenience, but you should think twice, since it was kindly brought to my attention, that it is quite possible to trick WikiTicketCalendarMacro into showing not Milestone and Ticket data but completely different things by preparing maliciously formed Milestone/Ticket summaries. Thanks for advice by Odd Simon Simonsen at #trac IRC channel today.
The bottom line is about using the Genshi HTML generator Markup(), that was meant for known good and tightly controlled safe code only, while this is not the case in WikiTicketCalendarMacro, and it never was since the generator call was introduced with version 0.5.0 in October 2009.
There to date is no known case, where this had been used for an exploit. But be assured, that I take this still really serious and will try to fix it after investigation of alternatives and looking at how other plugin authors dealt with this issue.
Attachments (0)
Change History (7)
comment:1 Changed 14 years ago by
| Status: | new → assigned |
|---|
comment:2 Changed 14 years ago by
[8113] aims at fixing critical parts. Test it and report back, please. Getting positive reply soon will speed up the merge/release of new, safer branch versions.
comment:3 Changed 14 years ago by
Tooltip texts that show beginning of ticket description are almost unreadable now. There has to be a better way.
comment:4 Changed 14 years ago by
Distorted tooltips is fixed with [8163] again, adding even more sanitizing steps.
There is quite some new code now, that could introduce as much bad as it tries to do good, so I'd love to get some review and comments on the changes now.
comment:6 Changed 14 years ago by
The HTML construction is fully under control of Genshi now (see changeset [8204]). I've not done a in-deep security analysis but according to current best coding practice this should be enough to cope with malicious user input to ticket and even bad administrator input to milestone names.
After testing in production environment I'll merge the changes of recent development to branches, so we'll have the anticipated security fix release for 0.11 and 0.12 after few more days.
comment:7 Changed 14 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
(In [8263]) WikiTicketCalendarMacro: Copy trunk to 0.12 and merge changes to 0.11 as well, closes #7239 #7236 #3159 #7304.
This is a major push to get latest development into both currently maintained branches. Next to a lang rewrite for saner HTML generation there is a new approach to ticket description preview by native CSS style text boxes. Expect some more subtle tweaks to calendar presentation as well.
WikiTicketCalendarMacro wiki page has a prominent warning pointing at this ticket right now.