| • bzimport | |
| Jul 13 2005, 5:12 PM |
| F2176: CVS-HEAD.diff | |
| Nov 21 2014, 8:41 PM |
| F2175: bug2845-head.patch | |
| Nov 21 2014, 8:41 PM |
| F2174: bug2845.patch | |
| Nov 21 2014, 8:41 PM |
Author: benjamin
Description:
action=raw allows ctype=text/javascript by default. This is not a good security
setting, because it becomes very easy for wikipages to link to this script and
steal login cookies and other important cookie data.
This patch adds a configurable whitelist of allowed mimetypes and also a
configurable default mimetype.
Version: 1.4.x
Severity: enhancement
benjamin wrote:
Configurable whitelist and default, and remove text/javascript from the default whitelist, rev. 1
Attached:
benjamin wrote:
This patch is against 1.4.6, I'm going to checkout and test HEAD now.
text/javascript is not dangerous. Scripts are executed in the security context of the HTML
page which includes them with a <script> element, and their source location is not relevant.
You could just as easily put the evil script on your own site or some other third party site
and it would work equally well or poorly.
If you believe you know of an actual vulnerability that can be caused through this, please e-
mail me privately with details.
benjamin wrote:
Same patch, for HEAD
This is the same patch merged to HEAD. I did not test it (don't have a head
install ATM, but it's a simple merge so it shouldn't be a big deal).
attachment bug2845-head.patch ignored as obsolete
Created attachment 1179
I propose the attached patch which sets text/css as default content type for action=raw
Attached:
rowan.collins wrote:
(In reply to comment #7)
I propose the attached patch which sets text/css as default content type for
action=raw
I can't see where that patch fits in with the others, but why would you want to
declare raw pages to be CSS by default? In the majority of cases, they will be
wikitext, hence "text/x-wiki". Or am I missing the point?
benjamin wrote:
Default as CSS doesn't make sense to me either. Default as text/plain might make
more sense to me, but the current default is fine for my purposes.
(In reply to comment #9)
Default as CSS doesn't make sense to me either. Default as text/plain might make
more sense to me, but the current default is fine for my purposes.
Brion has suggested yesterday in the irc to use text/css as default, which
appears to be safe (if I understood him correctly), because the browsers let the
source through unchanged. This is not the case for text/x-wiki on Internet
Explorer, which let IE regard the page to be of "index.php" type and opens an
ugly execute/save/abort window with all the consequences. If you want to dump
the text of an article pagename using index.php?title=pagename&action=raw ,
text/css appears to be much better than text/x-wiki (please try it).
But let me know your thoughts here, of course.
(In reply to comment #11)
If you want it to just pass through unmolested, why not text/plain?
Yes, you are right. Perhaps Brion misunderstood me.
I never understood, why text/x-wiki was used here. Can you explain ?
rowan.collins wrote:
(In reply to comment #10)
[...] This is not the case for text/x-wiki on Internet
Explorer, which let IE regard the page to be of "index.php" type and opens an
ugly execute/save/abort window with all the consequences.
Just to clarify this, it doesn't think it's a page of *type* "index.php", it
thinks it's *called* "index.php". But yes, the "I don't know what this is,
should I open, save, or what?" dialogue is an ugly thing to encounter on any
browser, though presumably you can configure a more sane default for
"text/x-wiki" documents if you play with them often...
(In reply to comment #12)
I never understood, why text/x-wiki was used here. Can you explain ?
It's because IE has an irritating tendency to try really really hard to guess if
something's HTML, making it quite hard to persuade it not to, say, execute the
'contents' of text that says "<script>..." To confirm this, here's an e-mail
from Brion describing the problem:
http://mail.wikimedia.org/pipermail/mediawiki-l/2005-January/002983.html
[relatedly, here's why you have to use the "main script entry point", not a
fancy URL: http://mail.wikimedia.org/pipermail/mediawiki-l/2005-January/002952.html]
So 'text/plain' is definitely out. 'text/css' might be "unambiguous" enough for
IE not to try double-guessing, but it seems kind of arbitrary/hackish, and may
end up giving a download prompt anyway [it seems to for me, when I use
"&ctype=text/css" in IE].
(In reply to comment #13)
from Brion describing the problem [...]
Rowan: 1000thanks for pointing me to that