Modify

Opened 4 years ago

Closed 4 years ago

#7239 closed defect (fixed)

serious concerns related to use of HTML generator with potentially insecure input

Reported by: hasienda Owned by: hasienda
Priority: high Component: WikiTicketCalendarMacro
Severity: blocker Keywords: security precaution HTML input unsanitized
Cc: rjollos Trac Release: 0.11

Description

Is it still save for your use case to use WikiTicketCalendarMacro in it's current state?

I'm sorry for the inconvenience, but you should think twice, since it was kindly brought to my attention, that it is quite possible to trick WikiTicketCalendarMacro into showing not Milestone and Ticket data but completely different things by preparing maliciously formed Milestone/Ticket summaries. Thanks for advice by Odd Simon Simonsen at #trac IRC channel today.

The bottom line is about using the Genshi HTML generator Markup(), that was meant for known good and tightly controlled safe code only, while this is not the case in WikiTicketCalendarMacro, and it never was since the generator call was introduced with version 0.5.0 in October 2009.

There to date is no known case, where this had been used for an exploit. But be assured, that I take this still really serious and will try to fix it after investigation of alternatives and looking at how other plugin authors dealt with this issue.

Attachments (0)

Change History (7)

comment:1 Changed 4 years ago by hasienda

  • Status changed from new to assigned

WikiTicketCalendarMacro wiki page has a prominent warning pointing at this ticket right now.

comment:2 Changed 4 years ago by hasienda

[8113] aims at fixing critical parts. Test it and report back, please. Getting positive reply soon will speed up the merge/release of new, safer branch versions.

comment:3 Changed 4 years ago by hasienda

Tooltip texts that show beginning of ticket description are almost unreadable now. There has to be a better way.

comment:4 Changed 4 years ago by hasienda

Distorted tooltips is fixed with [8163] again, adding even more sanitizing steps.

There is quite some new code now, that could introduce as much bad as it tries to do good, so I'd love to get some review and comments on the changes now.

comment:5 Changed 4 years ago by hasienda

See #7304 tracking improvements for ticket description tooltips.

comment:6 Changed 4 years ago by hasienda

The HTML construction is fully under control of Genshi now (see changeset [8204]). I've not done a in-deep security analysis but according to current best coding practice this should be enough to cope with malicious user input to ticket and even bad administrator input to milestone names.

After testing in production environment I'll merge the changes of recent development to branches, so we'll have the anticipated security fix release for 0.11 and 0.12 after few more days.

comment:7 Changed 4 years ago by hasienda

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [8263]) WikiTicketCalendarMacro: Copy trunk to 0.12 and merge changes to 0.11 as well, closes #7239 #7236 #3159 #7304.

This is a major push to get latest development into both currently
maintained branches. Next to a lang rewrite for saner HTML generation
there is a new approach to ticket description preview by native CSS style
text boxes. Expect some more subtle tweaks to calendar presentation as well.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.