You are here: Foswiki>Tasks Web>Item1963 (18 Nov 2009, PaulHarvey)Edit Attach

Item1963: Default Foswiki and `SafeURIs` config weaken SafeWikiPlugin

Priority: Low
Current State: Closed
Released In:
Target Release: n/a

Applies To: Extension
Component: SafeWikiPlugin
Branches:

Reported By: PaulHarvey
Waiting For: Main.PaulHarvey
Last Change By: PaulHarvey

As shipped, $Foswiki::cfg::{SafeWikiPlugin}{SafeURIs} allows any URI that begins with DefaultUrlHost, localhost, and /.

This allows anybody to attach a nasty .js, .css, etc. file containing any arbitrary CSS/JS they like, bypassing SafeWikiPlugin entirely.

As a proof of concept, I tested attaching a file named evil_js.txt to a topic, containing the following code:

$(document).ready(function() {
    window.location = "http://www.google.com.au/";
});

And I was able to execute it by embedding this into a Sandbox topic:

<script src="%ATTACHURLPATH%/evil_js.txt" type="text/javascript"></script>

Perhaps we can make the following change:

Index: SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec
===================================================================
--- SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec   (revision 4704)
+++ SafeWikiPlugin/lib/Foswiki/Plugins/SafeWikiPlugin/Config.spec   (working copy)
@@ -17,7 +17,7 @@
 # Array of perl regular expressions, one of which must be matched for
 # a URI used in a Foswiki page to be passed unfiltered. You can
 # use other Foswiki::cfg variables in the the strings here.
-$Foswiki::cfg{Plugins}{SafeWikiPlugin}{SafeURI} = ['^/','^http://localhost(:.*)?/','^$Foswiki::cfg{DefaultUrlHost}/'];
+$Foswiki::cfg{Plugins}{SafeWikiPlugin}{SafeURI} = ['^$Foswiki::cfg{PubUrlPath}/$Foswiki::cfg{SystemWebName}'];
 
 # **STRING 30**
 # String used to replace dodgy URIs. Can be a URI if you want.

Also, perhaps it would be best if SafeWikiPlugin stripped all <script> and <style> elements from the HTML body?

-- PaulHarvey - 24 Aug 2009

I'll try to make a Checker in configure that warns if URL includes are permitted. Stripping <script> tags to be worked on at Item8256.

-- PaulHarvey - 26 Aug 2009

This task fell off my radar. Will fix this in the next 48 hours.

Configure checker should warn if HTTP URL includes are allowed.
Configure checker should warn if FW is set to strip inline script tags in the body.
Configure checker should warn if SafeURI allows src paths other than /pub/System

-- PaulHarvey - 17 Sep 2009

Updated the regexes in Config.spec; still requires Paul's checker, tho. Priority dropped from Urgent to Low.

-- CrawfordCurrie - 17 Sep 2009

Added checkers for URL includes and AllowInlineScript.

I'll add another checker to warn about liberal SafeURI regexps later this month.

-- PaulHarvey - 18 Sep 2009

Now have sanity checks on SafeURI and UnsafeURI, but are only very basic...

-- PaulHarvey - 18 Nov 2009

ItemTemplate edit

Summary	Default Foswiki and `SafeURIs` config weaken SafeWikiPlugin
ReportedBy	PaulHarvey
Codebase	trunk
SVN Range	Foswiki-1.0.0, Thu, 08 Jan 2009, build 1878
AppliesTo	Extension
Component	SafeWikiPlugin
Priority	Low
CurrentState	Closed
WaitingFor	PaulHarvey
Checkins	SafeWikiPlugin:db990d0b545f SafeWikiPlugin:c6270b8843fa SafeWikiPlugin:33202f386ba7
TargetRelease	n/a
ReleasedIn