Ticket #2135 (closed defect: fixed)

Opened 12 months ago

Last modified 2 months ago

RestfulService has injection holes

Reported by: mpeel Owned by: aoneil
Priority: critical Milestone: 2.3.0-rc1*
Component: Sapphire Framework Version:
Severity: medium effort / impact Keywords:
Cc: Hours:

Description

If RestfulService? can't parse a URL for some reason (e.g. there's a 404 or 403, or the document doesn't start with a '<'), then it returns a user_error() which shows the HTML as one of the arguments passed between various methods.

The Debug class should probably escape this HTML so that when rendered on the screen it's done properly (e.g. looks like <html>) but to the browser rendering the page, it is escaped (e.g. looks like &lt;html&gt;)

For example, do a user_error() with this content inside the first argument - you'll get redirected to Twitter after ~10 seconds: 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
  <head>
  	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  	<meta http-equiv="Content-Language" content="en-us" />
    <meta http-equiv="refresh" content="10;url=http://twitter.com/">
  	<title>Twitter</title>
  	<link rel="icon" href="http://static.twitter.com/favicon.ico" type="image/ico" />
  	<style type="text/css">
    a{text-decoration:none;color:blue;}
    a img{border:0;}
    body{background:#9AE4E8 url(http://static.twitter.com/images/bg.gif) no-repeat fixed left top;color:#333;font:1.1em Helvetica,Arial,sans-serif;margin:10px 30% 10px 30%;}
    ul{list-style:square;padding-left:20px;}
  	</style>

  </head>
  <body>
    <center>
      <br /><br />
      <a href="http://twitter.com/"><img src="http://static.twitter.com/images/twitter.gif" /></a>
      <br /><br /> 
      <img src="http://static.twitter.com/images/arr2.gif" />
      <div style="background:#fff;padding:10px;">
				Bring that beat back!
       <p><img src="http://static.twitter.com/images/down_time.gif" /></p>

        <span style="font-size:0.6em">
					You'll be able to access Twitter again in just a second. We're just
					shuffling a few things around. Just hang tight or <a href="http://twitter.com/">click here</a> to see if Twitter is once again ready to rock.
        </span><br />
      </div>
    </center>
  </body>
</html>

Change History

in reply to: ↑ description   Changed 12 months ago by dio5

An idea would be to change the user_error into a E_USER_WARNING and to return false if it can't parse the url (for example when the external service is down).

In that way, we can check whether the RestfulService::connect() method returns false and echo an appropriate message at the appropriate place instead of breaking a whole page.

Replying to mpeel:

If RestfulService? can't parse a URL for some reason (e.g. there's a 404 or 403, or the document doesn't start with a '<'), then it returns a user_error() which shows the HTML as one of the arguments passed between various methods. The Debug class should probably escape this HTML so that when rendered on the screen it's done properly (e.g. looks like <html>) but to the browser rendering the page, it is escaped (e.g. looks like &lt;html&gt;) For example, do a user_error() with this content inside the first argument - you'll get redirected to Twitter after ~10 seconds: {{{ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-Language" content="en-us" /> <meta http-equiv="refresh" content="10;url=http://twitter.com/"> <title>Twitter</title> <link rel="icon" href="http://static.twitter.com/favicon.ico" type="image/ico" /> <style type="text/css"> a{text-decoration:none;color:blue;} a img{border:0;} body{background:#9AE4E8 url(http://static.twitter.com/images/bg.gif) no-repeat fixed left top;color:#333;font:1.1em Helvetica,Arial,sans-serif;margin:10px 30% 10px 30%;} ul{list-style:square;padding-left:20px;} </style> </head> <body> <center> <br /><br /> <a href="http://twitter.com/"><img src="http://static.twitter.com/images/twitter.gif" /></a> <br /><br /> <img src="http://static.twitter.com/images/arr2.gif" /> <div style="background:#fff;padding:10px;"> Bring that beat back! <p><img src="http://static.twitter.com/images/down_time.gif" /></p> <span style="font-size:0.6em"> You'll be able to access Twitter again in just a second. We're just shuffling a few things around. Just hang tight or <a href="http://twitter.com/">click here</a> to see if Twitter is once again ready to rock. </span><br /> </div> </center> </body> </html> }}}

  Changed 4 months ago by ischommer

  • priority changed from medium to critical

  Changed 3 months ago by sminnee

  • owner changed from sminnee to aoneil

  Changed 2 months ago by sminnee

  • status changed from new to closed
  • resolution set to fixed

Fixed in r65287.

Note: See TracTickets for help on using tickets.