#1971 closed defect (invalid)
Trac does not properly escape embedded (X)HTML sequences
| Reported by: | Emmanuel Blot | Owned by: | Jonas Borgström |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | wiki system | Version: | devel |
| Severity: | major | Keywords: | |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Using the following verbatim block:
<select name="foobar"> <option>foo</option> <option>bar</option> </select>
with a "!#html" bang line for syntax highlighting, Trac displays
I guess this could be used to send unauthorized data to the server through POST requests.
Any potential security risks ? - if not, feel free to decrease the severity of this ticket.
Attachments (0)
Change History (7)
comment:1 by , 20 years ago
comment:2 by , 20 years ago
See my follow-up on #280:
You should use #!xml instead of #!html
if what you want is syntax highlighting.
OTOH, the #!html processor is for embedding HTML,
so exactly what it does in the description above.
Javascript and dangerous tags are forbidden in embedded
HTML fragments, so there should be no risk.
I'll try to reproduce the exception you got above (was the exception triggered when viewing #280 or this one?)
comment:3 by , 20 years ago
I've been able to reproduce the exception within both bugs (I detected it first while previewing a comment for #280, then tried to reproduce it with the description of #1971)
The way to reproduce is hard to describe. After several previews of html syntax, I got the exception (Firefox 1.0.6, win xp2). Then, what ever the content of the comment textarea I put, even without any HTML tag, I got the same error every time I selected 'Preview'.
But, starting from another ticket, I've not been able to reproduce it with the HTML syntax that first triggered the exception. I had to play around (several previews, changing the HTML syntax just a little bit every time) to be able to trigger the exception once more.
comment:4 by , 20 years ago
BTW, isn't that weird to use XML color syntax switch for non-XML syntax ? (HTML, not XHTML)
Is there no risk to overwrite some Trac form fields using this embedded HTML ?
comment:5 by , 20 years ago
Form fields on their own won't really do anything if they're not inside the <form> block. I'm not sure how much risk it presents, but <form> tags could be disallowed in #!html blocks if necessary.
The #!xml processor will probably handle even malformed HTML reasonably, although you can use the mime type instead as #!text/html
<a href="test">Testing</a>
You can use any mimetype recognized by Trac as a processor name.
comment:6 by , 20 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
As far as I can tell, this works as intended.
Playing around with this issue, I finally made Trac [on edgewall server] raise an exception:
Python traceback
Traceback (most recent call last): File "/usr/lib/python2.3/site-packages/trac/web/modpython_frontend.py", line 210, in handler dispatch_request(mpr.path_info, mpr, env) File "/usr/lib/python2.3/site-packages/trac/web/main.py", line 452, in dispatch_request dispatcher.dispatch(req) File "/usr/lib/python2.3/site-packages/trac/web/main.py", line 312, in dispatch resp = chosen_handler.process_request(req) File "/usr/lib/python2.3/site-packages/trac/ticket/web_ui.py", line 194, in process_request self._insert_ticket_data(req, db, ticket, reporter_id) File "/usr/lib/python2.3/site-packages/trac/ticket/web_ui.py", line 396, in _insert_ticket_data actions = TicketSystem(self.env).get_available_actions(ticket, req.perm) File "/usr/lib/python2.3/site-packages/trac/ticket/api.py", line 54, in get_available_actions return [action for action in actions.get(ticket['status'], ['leave']) TypeError: list objects are unhashableUnfortunetly, although I've been able to reproduce it several times, I'm not able to define the exact sequence of events that triggered this exception. It definitely comes from the HTML code (select/option) I wrote in the comment textarea.