Last modified: 2014-03-03 19:05:47 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T62771, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 60771 - SVG iframe XSS
SVG iframe XSS
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Uploading (Other open bugs)
unspecified
All All
: High normal (vote)
: ---
Assigned To: Chris Steipp
:
: 61278 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-03 17:43 UTC by Chris Steipp
Modified: 2014-03-03 19:05 UTC (History)
12 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
PoC from Mario (712 bytes, image/svg+xml)
2014-02-03 17:48 UTC, Chris Steipp 		Details
Whitelist namespaces (3.60 KB, patch)
2014-02-04 00:56 UTC, Chris Steipp 		Details
Whitelist namespaces (3.64 KB, patch)
2014-02-04 22:18 UTC, Chris Steipp 		Details
Whitelist namespaces (6.40 KB, patch)
2014-02-06 01:26 UTC, Chris Steipp 		Details
Whitelist namespaces (6.40 KB, patch)
2014-02-12 19:29 UTC, Chris Steipp 		Details
Show Obsolete (3) Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2014-02-03 17:43:56 UTC 
Mario Gomes reported to mozilla an svg xss:

https://bugzilla.mozilla.org/show_bug.cgi?id=966734

This is triggered using an iframe with a srcdoc and xhtml namespace.

We can easily forbid svg files with iframes. I can't tell if it's an oversight that we allow those, or if we made the decision to allow them for some reason. I'll pull down some of the more recent svg uploads and see if embedded iframes are common.
Comment 1 Chris Steipp 2014-02-03 17:47:52 UTC 
Adding some multimedia people in case they have input on allowing iframes in svg files. Any of you see a reason we shouldn't forbid them?
Comment 2 Chris Steipp 2014-02-03 17:48:46 UTC 
Created attachment 14453 [details]
PoC from Mario
Comment 3 Brion Vibber 2014-02-03 18:38:06 UTC 
There should be no legit reason to put an HTML iframe inside an SVG graphic, IMO... should be just fine to filter and forbid those...
Comment 4 Bawolff (Brian Wolff) 2014-02-03 20:50:37 UTC 
(In reply to comment #3)
> There should be no legit reason to put an HTML iframe inside an SVG graphic,
> IMO... should be just fine to filter and forbid those...

I agree.
Comment 5 Chris Steipp 2014-02-04 00:56:32 UTC 
Created attachment 14470 [details]
Whitelist namespaces

This limits the xml namespaces that can be used within svg files. I'm still downloading a new corpus of recent uploads, but so far, only about 5 legitimate images on commons use the http://www.w3.org/1999/xhtml namespace. Everything else that I've found are on the whitelist that I put into this patch.

In the event that iframes ever make it into one of the namespace that we do allow, I forbid them also.
Comment 6 Chris Steipp 2014-02-04 22:18:58 UTC 
Created attachment 14489 [details]
Whitelist namespaces

Found one more namespace in testing. Tested it against 25k images off commons, and only images that try to use http://www.w3.org/1999/xhtml would be rejected at this point.
Comment 7 Chris Steipp 2014-02-06 01:26:09 UTC 
Created attachment 14501 [details]
Whitelist namespaces

Tim pointed out that we will want users to know which namespace failed so we can add harmless ones.
Comment 8 Chris Steipp 2014-02-12 19:29:12 UTC 
Created attachment 14576 [details]
Whitelist namespaces

Update from Aaron's feedback:
* Updated comments on splitXmlNamespace
* Made list of namespaces static
Also made splitXmlNamespace private.
Comment 9 Aaron Schulz 2014-02-12 19:36:58 UTC 
Looks OK to me.
Comment 10 Daniel Zahn 2014-02-12 20:47:17 UTC 
fwiw, reading this i'm glad that the switch from old to new planet software "broke" embedded iframes in RSS feeds that we aggregate from third parties and then display as our feed :)
Comment 11 Chris Steipp 2014-02-12 21:22:42 UTC 
Deployed to the cluster

21:00 logmsgbot: csteipp finished scap: bug 60771 (duration: 36m 58s)
Comment 12 Chris Steipp 2014-02-12 21:26:23 UTC 
*** Bug 61278 has been marked as a duplicate of this bug. ***
Comment 13 Bawolff (Brian Wolff) 2014-02-28 03:22:48 UTC 
For reference, commit id 7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb
Comment 14 Chris Steipp 2014-03-03 19:05:47 UTC 
The whitelisting was assigned CVE-2014-2242. http://www.openwall.com/lists/oss-security/2014/03/01/2
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links