Page MenuHomePhabricator

[Regression] Sanitizer::checkCss blacklist can be bypassed using fullwidth backslash
Closed, ResolvedPublic

Description

The fix for fullwidth characters (https://gerrit.wikimedia.org/r/#/c/95557/, bug 55332) broke the CSS sanitizer, it now is possible to embed escape sequences into your CSS code and thus evade the blacklists for url() etc.

Example:

<p style="font-size: 100px; background-image: ur\l(https://www.google.com/images/srpr/logo6w.png)">A</p>

This currently loads the image from Google server and of course could be modified to allow XSS attacks via expression in old IEs.

Note the Fullwidth Reverse Solidus which is replaced with a normal Reverse Solidus *after* escape sequences are replaced with the actual character.


Version: unspecified
Severity: normal

Details

Reference
bz58088

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.
bzimport set Reference to bz58088.
bzimport added a subscriber: Unknown Object (MLST).
Schnark created this task.Dec 6 2013, 8:20 AM

Confirmed in Firefox and Opera. We'll get a patch for this out right away. Thanks for the report!

Created attachment 14015
Don't normalize U+FF3C

This prevents the specific scenario, and I've confirmed in a few browsers that Fullwidth Reverse Solidus isn't treated like backslashes in identifiers.

Attached:

(In reply to comment #2)

[...] I've confirmed in a few browsers
that
Fullwidth Reverse Solidus isn't treated like backslashes in identifiers.

As no standard compliant browser should treat the Fullwidth Reverse Solidus as normal backslash the only interesting question is: Does Internet Explorer 6 interpret stuff like \123 as valid escape sequences?

I've tested in IE6 specifically, and it doesn't appear to use the fullwidth version as an escape sequence either. I'd like Tim to take a look at the patch, then we should be ok to deploy this.

Patch looks good.

This was assigned CVE-2013-6451

Created attachment 14262
Don't normalize U+FF3C (1.19 branch)

Attached:

Created attachment 14263
Don't normalize U+FF3C (1.21 branch)

Attached:

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJan 28 2016, 5:57 PM