Page MenuHomePhabricator
Create Task
Maniphest T68404

New CSS syntax for attr() allows web bugs
Closed, ResolvedPublic
Actions

Description

The sanitizer rejects any inline CSS with "url(" to prevent web bugs. [1] has a proposed update to attr() which would allow to circumvent this check:

<div title="https://example.org/image.png" style="background-image: attr(title url);"></div>

creates a span with an URL as title. The inline CSS then adds an background image defined by that title interpreted as URL, i.e. shows an image from any domain.

According to [2] no browser currently implements this syntax ([3] claims it is implemented in IE9, which I could not reproduce, and is wrong according to [4]). But once this syntax gets implemented by some browser, the sanitizer should reject /attr\s*\([^),]+url/ (I'm not entirely sure about this regexp, but something like that should do the job).

[1]: https://www.w3.org/TR/css3-values/#attr-notation
[2]: https://developer.mozilla.org/en/docs/Web/CSS/attr#Browser_Compatibility
[3]: https://bugzilla.mozilla.org/show_bug.cgi?id=435426#c2
[4]: http://msdn.microsoft.com/en-us/library/ie/ms537660%28v=vs.85%29.aspx#attr

Version: unspecified
Severity: normal

Details

Reference
bz66404
SubjectRepoBranchLines +/-
Disallow css attr() with url typemediawiki/coreREL1_26+10 -0
Disallow css attr() with url typemediawiki/coreREL1_27+11 -0
Disallow css attr() with url typemediawiki/coreREL1_23+10 -0
Disallow css attr() with url typemediawiki/coremaster+3 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:13 AM
bzimport added a project: Security-Core.
bzimport set Reference to bz66404.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:13 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript
Schnark created this task.Jun 10 2014, 9:42 AM
csteipp added a comment.Jun 10 2014, 6:20 PM

Thanks for noticing that Michael. I don't think it would hurt to add a blacklist for that, and if support is dropped in the final spec, we can always take it out. I'll make a patch for that today.

I'm still trying to verify that no browsers currently support it. If that's the case, then we can do the change publicly. If not we'll do this a security patch.

csteipp added a comment.Jun 11 2014, 11:35 PM

(In reply to Michael M. from comment #0)

According to [2] no browser currently implements this syntax ([3] claims it
is implemented in IE9, which I could not reproduce, and is wrong according
to [4]). But once this syntax gets implemented by some browser, the
sanitizer should reject /attr\s*\([^),]+url/ (I'm not entirely sure about
this regexp, but something like that should do the job).

I'm not seeing definitive, formal definition of syntax, so it seems little ambiguous if a comma can separate the first and second parameter to the function. The functional notation says, "If a function takes a list of arguments, the arguments are separated by a comma (‘,’) with optional whitespace before and after the comma." But the definition of attr() and all the given examples use the comma to indicate the fallback. Off the top of my head, I can't think of another attribute with an optional second parameter to check of most browsers implemented it right.

So to be safer, I think I'll do, /attr\s*\([^)]+[\s,]+url/. That would match a fallback to the string "url", or an attr-name of "url" if proceeded by 2 or more whitespace chars. I'd rather err on the side of being conservative and protect against browsers not quite implementing the spec right.

I'm still investigating if any popular browsers implement this yet.

csteipp added a comment.Jun 11 2014, 11:36 PM

Created attachment 15633
Add blacklist for attr() with url

Adding a patch here, in case we find any browsers implementing this and need to patch the cluster.

Attached:

bug66404.patch977 BDownload

csteipp added a project: acl*security.Nov 24 2014, 9:27 PM
Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
Krinkle updated the task description. (Show Details)Nov 27 2014, 11:07 PM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptNov 27 2014, 11:07 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
dpatrick claimed this task.Aug 14 2015, 8:13 PM
dpatrick triaged this task as Low priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 14 2015, 8:13 PM
csteipp added a project: Privacy.Aug 20 2015, 9:23 PM
Bawolff subscribed.EditedJun 27 2016, 9:58 AM

Given nobody supports this syntax yet [1], and probably nobody will in the super-near future, I think we should maybe just submit this to gerrit like an ordinary patch.

Anyone opposed to me publicly submitting csteipp's patch to gerrit like a non-security bug?

One thing to note, is that the CSS2 version of attr, is really only useful with :before and :after pseudo-elements (which can't be used with inline styles), so it might even be safe to ban attr() outright

[1] http://caniuse.com/#search=attr

Bawolff moved this task from Backlog / Other to Patch pending deployment on the acl*security board.Jul 10 2016, 6:19 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 13 2016, 9:45 AM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
Bawolff changed Security from Software security bug to None.
gerritbot subscribed.Sep 13 2016, 9:45 AM

Change 310257 had a related patch set uploaded (by Brian Wolff):
Disallow css attr() with url type

https://gerrit.wikimedia.org/r/310257

gerritbot added a project: Patch-For-Review.Sep 13 2016, 9:45 AM
dpatrick reassigned this task from dpatrick to Bawolff.Sep 28 2016, 5:35 PM
dpatrick subscribed.
gerritbot added a comment.Sep 29 2016, 12:58 AM

Change 310257 merged by jenkins-bot:
Disallow css attr() with url type

https://gerrit.wikimedia.org/r/310257

ReleaseTaggerBot added projects: MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-10-04_(1.28.0-wmf.21)).Sep 29 2016, 1:00 AM
Krinkle unsubscribed.Sep 29 2016, 8:14 PM
gerritbot added a comment.Oct 18 2016, 7:33 PM

Change 316618 had a related patch set uploaded (by Brian Wolff):
Disallow css attr() with url type

https://gerrit.wikimedia.org/r/316618

gerritbot added a comment.Oct 18 2016, 7:53 PM

Change 316621 had a related patch set uploaded (by Brian Wolff):
Disallow css attr() with url type

https://gerrit.wikimedia.org/r/316621

gerritbot added a comment.Oct 18 2016, 10:47 PM

Change 316714 had a related patch set uploaded (by Brian Wolff):
Disallow css attr() with url type

https://gerrit.wikimedia.org/r/316714

Bawolff closed this task as Resolved.Oct 18 2016, 10:50 PM

Patch merged, and backported to all maintained branches

Bawolff added a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Oct 18 2016, 10:52 PM
gerritbot added a comment.Oct 18 2016, 11:01 PM

Change 316714 merged by jenkins-bot:
Disallow css attr() with url type

https://gerrit.wikimedia.org/r/316714

gerritbot added a comment.Oct 18 2016, 11:01 PM

Change 316618 merged by jenkins-bot:
Disallow css attr() with url type

https://gerrit.wikimedia.org/r/316618

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.23-release.Oct 19 2016, 12:00 AM
gerritbot added a comment.Oct 19 2016, 7:45 PM

Change 316621 merged by Umherirrender:
Disallow css attr() with url type

https://gerrit.wikimedia.org/r/316621

ReleaseTaggerBot added a project: MW-1.26-release.Oct 19 2016, 8:00 PM
demon mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Jan 24 2017, 11:40 PM
Reedy subscribed.Apr 2 2017, 10:28 PM

We should CVE this one too as a matter of course in T160876

Reedy added a comment.Apr 3 2017, 12:44 PM

Or has this disappeared from the spec?

I see attr(src url) but no title url...

Anomie subscribed.Apr 3 2017, 1:58 PM

It's still there, they just changed the anchor. Note that the actual attribute name doesn't matter, it could as easily be data-foobar.

Anomie updated the task description. (Show Details)Apr 3 2017, 1:58 PM
Anomie added a comment.Apr 3 2017, 2:48 PM

Since @Reedy asked,

Flaw: MediaWiki's anti-web-bug CSS sanitization does not remove attr(foo url).

Exploit: The extensions proposed to the CSS attr() function in the CSS Values and Units Module Level 3, specifically the 'url' type, could be used to insert a web bug in a wiki page.

This is mitigated by the fact that no major browser currently implements these extensions (according to http://caniuse.com/#feat=css3-attr).

MZMcBride subscribed.Apr 5 2017, 1:52 AM
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:38 PM
sbassett moved this task from Intake to Done on the Privacy board.Oct 16 2019, 5:50 PM
sbassett removed a project: Patch-For-Review.
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Aklapper removed subscribers: Anomie, dpatrick.Oct 16 2020, 5:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits