Opened 12 years ago

Closed 12 years ago

#7239 closed defect (fixed)

serious concerns related to use of HTML generator with potentially insecure input

Reported by: Steffen Hoffmann Owned by: Steffen Hoffmann
Priority: high Component: WikiTicketCalendarMacro
Severity: blocker Keywords: security precaution HTML input unsanitized
Cc: Ryan J Ollos Trac Release: 0.11


Is it still save for your use case to use WikiTicketCalendarMacro in it's current state?

I'm sorry for the inconvenience, but you should think twice, since it was kindly brought to my attention, that it is quite possible to trick WikiTicketCalendarMacro into showing not Milestone and Ticket data but completely different things by preparing maliciously formed Milestone/Ticket summaries. Thanks for advice by Odd Simon Simonsen at #trac IRC channel today.

The bottom line is about using the Genshi HTML generator Markup(), that was meant for known good and tightly controlled safe code only, while this is not the case in WikiTicketCalendarMacro, and it never was since the generator call was introduced with version 0.5.0 in October 2009.

There to date is no known case, where this had been used for an exploit. But be assured, that I take this still really serious and will try to fix it after investigation of alternatives and looking at how other plugin authors dealt with this issue.

Attachments (0)

Change History (7)

comment:1 Changed 12 years ago by Steffen Hoffmann

Status: newassigned

WikiTicketCalendarMacro wiki page has a prominent warning pointing at this ticket right now.

comment:2 Changed 12 years ago by Steffen Hoffmann

[8113] aims at fixing critical parts. Test it and report back, please. Getting positive reply soon will speed up the merge/release of new, safer branch versions.

comment:3 Changed 12 years ago by Steffen Hoffmann

Tooltip texts that show beginning of ticket description are almost unreadable now. There has to be a better way.

comment:4 Changed 12 years ago by Steffen Hoffmann

Distorted tooltips is fixed with [8163] again, adding even more sanitizing steps.

There is quite some new code now, that could introduce as much bad as it tries to do good, so I'd love to get some review and comments on the changes now.

comment:5 Changed 12 years ago by Steffen Hoffmann

See #7304 tracking improvements for ticket description tooltips.

comment:6 Changed 12 years ago by Steffen Hoffmann

The HTML construction is fully under control of Genshi now (see changeset [8204]). I've not done a in-deep security analysis but according to current best coding practice this should be enough to cope with malicious user input to ticket and even bad administrator input to milestone names.

After testing in production environment I'll merge the changes of recent development to branches, so we'll have the anticipated security fix release for 0.11 and 0.12 after few more days.

comment:7 Changed 12 years ago by Steffen Hoffmann

Resolution: fixed
Status: assignedclosed

(In [8263]) WikiTicketCalendarMacro: Copy trunk to 0.12 and merge changes to 0.11 as well, closes #7239 #7236 #3159 #7304.

This is a major push to get latest development into both currently maintained branches. Next to a lang rewrite for saner HTML generation there is a new approach to ticket description preview by native CSS style text boxes. Expect some more subtle tweaks to calendar presentation as well.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.