Last modified: 2014-03-03 19:05:47 UTC
Mario Gomes reported to mozilla an svg xss: https://bugzilla.mozilla.org/show_bug.cgi?id=966734 This is triggered using an iframe with a srcdoc and xhtml namespace. We can easily forbid svg files with iframes. I can't tell if it's an oversight that we allow those, or if we made the decision to allow them for some reason. I'll pull down some of the more recent svg uploads and see if embedded iframes are common.
Adding some multimedia people in case they have input on allowing iframes in svg files. Any of you see a reason we shouldn't forbid them?
Created attachment 14453 [details] PoC from Mario
There should be no legit reason to put an HTML iframe inside an SVG graphic, IMO... should be just fine to filter and forbid those...
(In reply to comment #3) > There should be no legit reason to put an HTML iframe inside an SVG graphic, > IMO... should be just fine to filter and forbid those... I agree.
Created attachment 14470 [details] Whitelist namespaces This limits the xml namespaces that can be used within svg files. I'm still downloading a new corpus of recent uploads, but so far, only about 5 legitimate images on commons use the http://www.w3.org/1999/xhtml namespace. Everything else that I've found are on the whitelist that I put into this patch. In the event that iframes ever make it into one of the namespace that we do allow, I forbid them also.
Created attachment 14489 [details] Whitelist namespaces Found one more namespace in testing. Tested it against 25k images off commons, and only images that try to use http://www.w3.org/1999/xhtml would be rejected at this point.
Created attachment 14501 [details] Whitelist namespaces Tim pointed out that we will want users to know which namespace failed so we can add harmless ones.
Created attachment 14576 [details] Whitelist namespaces Update from Aaron's feedback: * Updated comments on splitXmlNamespace * Made list of namespaces static Also made splitXmlNamespace private.
Looks OK to me.
fwiw, reading this i'm glad that the switch from old to new planet software "broke" embedded iframes in RSS feeds that we aggregate from third parties and then display as our feed :)
Deployed to the cluster 21:00 logmsgbot: csteipp finished scap: bug 60771 (duration: 36m 58s)
*** Bug 61278 has been marked as a duplicate of this bug. ***
For reference, commit id 7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb
The whitelisting was assigned CVE-2014-2242. http://www.openwall.com/lists/oss-security/2014/03/01/2