Last modified: 2014-01-14 07:22:06 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T60088, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 58088 - [Regression] Sanitizer::checkCss blacklist can be bypassed using fullwidth backslash
[Regression] Sanitizer::checkCss blacklist can be bypassed using fullwidth ba...
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Parser (Other open bugs)
unspecified
All All
: Highest normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 59830
  Show dependency treegraph
 
Reported: 2013-12-06 08:20 UTC by Michael M.
Modified: 2014-01-14 07:22 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Don't normalize U+FF3C (884 bytes, patch)
2013-12-06 21:56 UTC, Chris Steipp 		Details
Don't normalize U+FF3C (1.19 branch) (863 bytes, patch)
2014-01-08 23:07 UTC, Markus Glaser 		Details
Don't normalize U+FF3C (1.21 branch) (893 bytes, patch)
2014-01-08 23:08 UTC, Markus Glaser 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Michael M. 2013-12-06 08:20:05 UTC 
The fix for fullwidth characters (https://gerrit.wikimedia.org/r/#/c/95557/, bug 55332) broke the CSS sanitizer, it now is possible to embed escape sequences into your CSS code and thus evade the blacklists for url() etc.

Example:

<p style="font-size: 100px; background-image: ur\l(https://www.google.com/images/srpr/logo6w.png)">A</p>

This currently loads the image from Google server and of course could be modified to allow XSS attacks via expression in old IEs.

Note the Fullwidth Reverse Solidus which is replaced with a normal Reverse Solidus *after* escape sequences are replaced with the actual character.
Comment 1 Chris Steipp 2013-12-06 17:05:44 UTC 
Confirmed in Firefox and Opera. We'll get a patch for this out right away. Thanks for the report!
Comment 2 Chris Steipp 2013-12-06 21:56:20 UTC 
Created attachment 14015 [details]
Don't normalize U+FF3C

This prevents the specific scenario, and I've confirmed in a few browsers that Fullwidth Reverse Solidus isn't treated like backslashes in identifiers.
Comment 3 Michael M. 2013-12-07 08:43:09 UTC 
(In reply to comment #2)
> [...] I've confirmed in a few browsers
> that
> Fullwidth Reverse Solidus isn't treated like backslashes in identifiers.

As no standard compliant browser should treat the Fullwidth Reverse Solidus as normal backslash the only interesting question is: Does Internet Explorer 6 interpret stuff like \123 as valid escape sequences?
Comment 4 Chris Steipp 2013-12-09 18:33:21 UTC 
I've tested in IE6 specifically, and it doesn't appear to use the fullwidth version as an escape sequence either. I'd like Tim to take a look at the patch, then we should be ok to deploy this.
Comment 5 Tim Starling 2013-12-16 02:23:22 UTC 
Patch looks good.
Comment 6 Chris Steipp 2013-12-23 18:27:10 UTC 
This was assigned CVE-2013-6451
Comment 7 Markus Glaser 2014-01-08 23:07:53 UTC 
Created attachment 14262 [details]
Don't normalize U+FF3C (1.19 branch)
Comment 8 Markus Glaser 2014-01-08 23:08:27 UTC 
Created attachment 14263 [details]
Don't normalize U+FF3C (1.21 branch)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links