serious concerns related to use of HTML generator with potentially insecure input
|Reported by:||Steffen Hoffmann||Owned by:||Steffen Hoffmann|
|Severity:||blocker||Keywords:||security precaution HTML input unsanitized|
|Cc:||Ryan J Ollos||Trac Release:||0.11|
Is it still save for your use case to use WikiTicketCalendarMacro in it's current state?
I'm sorry for the inconvenience, but you should think twice, since it was kindly brought to my attention, that it is quite possible to trick WikiTicketCalendarMacro into showing not Milestone and Ticket data but completely different things by preparing maliciously formed Milestone/Ticket summaries. Thanks for advice by Odd Simon Simonsen at #trac IRC channel today.
The bottom line is about using the Genshi HTML generator
Markup(), that was meant for known good and tightly controlled safe code only, while this is not the case in WikiTicketCalendarMacro, and it never was since the generator call was introduced with version 0.5.0 in October 2009.
There to date is no known case, where this had been used for an exploit. But be assured, that I take this still really serious and will try to fix it after investigation of alternatives and looking at how other plugin authors dealt with this issue.