Item1963: Default Foswiki and SafeURIs
config weaken SafeWikiPlugin
Priority: Low
Current State: Closed
Released In:
Target Release: n/a
As shipped,
$Foswiki::cfg::{SafeWikiPlugin}{SafeURIs}
allows any URI that begins with
DefaultUrlHost
,
localhost
, and
/
.
This allows anybody to attach a nasty
.js
,
.css
, etc. file containing any arbitrary CSS/JS they like, bypassing
SafeWikiPlugin entirely.
As a proof of concept, I tested attaching a file named
evil_js.txt
to a topic, containing the following code:
$(document).ready(function() {
window.location = "http://www.google.com.au/";
});
And I was able to execute it by embedding this into a Sandbox topic:
<script src="%ATTACHURLPATH%/evil_js.txt" type="text/javascript"></script>
Perhaps we can make the following change:
Index: SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec
===================================================================
--- SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec (revision 4704)
+++ SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec (working copy)
@@ -17,7 +17,7 @@
# Array of perl regular expressions, one of which must be matched for
# a URI used in a Foswiki page to be passed unfiltered. You can
# use other Foswiki::cfg variables in the the strings here.
-$Foswiki::cfg{Plugins}{SafeWikiPlugin}{SafeURI} = ['^/','^http://localhost(:.*)?/','^$Foswiki::cfg{DefaultUrlHost}/'];
+$Foswiki::cfg{Plugins}{SafeWikiPlugin}{SafeURI} = ['^$Foswiki::cfg{PubUrlPath}/$Foswiki::cfg{SystemWebName}'];
# **STRING 30**
# String used to replace dodgy URIs. Can be a URI if you want.
Also, perhaps it would be best if
SafeWikiPlugin stripped all
<script>
and
<style>
elements from the HTML body?
--
PaulHarvey - 24 Aug 2009
I'll try to make a Checker in configure that warns if URL includes are permitted. Stripping <script> tags to be worked on at
Item8256.
--
PaulHarvey - 26 Aug 2009
This task fell off my radar. Will fix this in the next 48 hours.
- Configure checker should warn if HTTP URL includes are allowed.
- Configure checker should warn if FW is set to strip inline script tags in the body.
- Configure checker should warn if
SafeURI
allows src paths other than /pub/System
--
PaulHarvey - 17 Sep 2009
Updated the regexes in Config.spec; still requires Paul's checker, tho. Priority dropped from Urgent to Low.
--
CrawfordCurrie - 17 Sep 2009
Added checkers for URL includes and
AllowInlineScript.
I'll add another checker to warn about liberal
SafeURI regexps later this month.
--
PaulHarvey - 18 Sep 2009
Now have sanity checks on
SafeURI and
UnsafeURI, but are only very basic...
--
PaulHarvey - 18 Nov 2009