Last modified: 2014-01-14 07:22:06 UTC
The fix for fullwidth characters (https://gerrit.wikimedia.org/r/#/c/95557/, bug 55332) broke the CSS sanitizer, it now is possible to embed escape sequences into your CSS code and thus evade the blacklists for url() etc. Example: <p style="font-size: 100px; background-image: ur\l(https://www.google.com/images/srpr/logo6w.png)">A</p> This currently loads the image from Google server and of course could be modified to allow XSS attacks via expression in old IEs. Note the Fullwidth Reverse Solidus which is replaced with a normal Reverse Solidus *after* escape sequences are replaced with the actual character.
Confirmed in Firefox and Opera. We'll get a patch for this out right away. Thanks for the report!
Created attachment 14015 [details] Don't normalize U+FF3C This prevents the specific scenario, and I've confirmed in a few browsers that Fullwidth Reverse Solidus isn't treated like backslashes in identifiers.
(In reply to comment #2) > [...] I've confirmed in a few browsers > that > Fullwidth Reverse Solidus isn't treated like backslashes in identifiers. As no standard compliant browser should treat the Fullwidth Reverse Solidus as normal backslash the only interesting question is: Does Internet Explorer 6 interpret stuff like \123 as valid escape sequences?
I've tested in IE6 specifically, and it doesn't appear to use the fullwidth version as an escape sequence either. I'd like Tim to take a look at the patch, then we should be ok to deploy this.
Patch looks good.
This was assigned CVE-2013-6451
Created attachment 14262 [details] Don't normalize U+FF3C (1.19 branch)
Created attachment 14263 [details] Don't normalize U+FF3C (1.21 branch)