Changeset 7658

Timestamp:

Nov 8, 2008, 7:24:00 PM (15 years ago)

Author:

Jonas Borgström

Message:

0.11-stable: Improved HTML sanitizer to detect and stop possible phishing attempts. Reported by Simon Willison.

Location:

branches/0.11-stable/trac

Files:

• util/html.py (modified) (1 diff)
• wiki/formatter.py (modified) (3 diffs)

branches/0.11-stable/trac/util/html.py

@@ -15 +15 @@
 
 from genshi import Markup, escape, unescape
-from genshi.core import stripentities, striptags
+from genshi.core import stripentities, striptags, START, END
 from genshi.builder import Element, ElementFactory, Fragment
+from genshi.filters.html import HTMLSanitizer
 
-__all__ = ['escape', 'unescape', 'html', 'plaintext']
+__all__ = ['escape', 'unescape', 'html', 'plaintext', 'TracHTMLSanitizer']
+
+
+class TracHTMLSanitizer(HTMLSanitizer):
+
+    UNSAFE_CSS = ['position']
+
+    def __init__(self):
+        safe_attrs = HTMLSanitizer.SAFE_ATTRS | set(['style'])
+        super(TracHTMLSanitizer, self).__init__(safe_attrs=safe_attrs)
+
+    def sanitize_css(self, text):
+        decls = []
+        text = self._strip_css_comments(self._replace_unicode_escapes(text))
+        for decl in filter(None, text.split(';')):
+            decl = decl.strip()
+            if not decl:
+                continue
+            try:
+                prop, value = decl.split(':', 1)
+            except ValueError:
+                continue
+            if not self.is_safe_css(prop.strip().lower(), value.strip()):
+                continue
+            is_evil = False
+            if 'expression' in decl:
+                is_evil = True
+            for match in re.finditer(r'url\s*\(([^)]+)', decl):
+                if not self.is_safe_uri(match.group(1)):
+                    is_evil = True
+                    break
+            if not is_evil:
+                decls.append(decl.strip())
+        return decls
+
+    def __call__(self, stream):
+        """Remove input type="password" elements from the stream
+        """
+        suppress = False
+        for kind, data, pos in super(TracHTMLSanitizer, self).__call__(stream):
+            if kind is START:
+                tag, attrs = data
+                if (tag == 'input' and
+                    attrs.get('type', '').lower() == 'password'):
+                    suppress = True
+                else:
+                    yield kind, data, pos
+            elif kind is END:
+                if not suppress:
+                    yield kind, data, pos
+                suppress = False
+            else:
+                yield kind, data, pos
+
+    def is_safe_css(self, prop, value):
+        """Determine whether the given css property declaration is to be 
+        considered safe for inclusion in the output.
+        """
+        if prop in self.UNSAFE_CSS:
+            return False
+        # Negative margins can be used for phishing
+        elif prop.startswith('margin') and '-' in value:
+            return False
+        return True
 
 

branches/0.11-stable/trac/wiki/formatter.py

@@ -27 +27 @@
 from genshi.builder import tag, Element
 from genshi.core import Stream, Markup, escape
-from genshi.filters import HTMLSanitizer
 from genshi.input import HTMLParser, ParseError
 from genshi.util import plaintext
@@ -39 +38 @@
 from trac.util.text import shorten_line, to_unicode, \
                            unicode_quote, unicode_quote_plus
+from trac.util.html import TracHTMLSanitizer
 from trac.util.translation import _
 
@@ -89 +89 @@
                               'Span': self._span_processor}
 
-        self._sanitizer = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS |
-                                        set(['style']))
+        self._sanitizer = TracHTMLSanitizer()
         
         self.processor = builtin_processors.get(name)