Page MenuHomePhabricator

Fix SVG blacklist for animate
Closed, ResolvedPublic

Description

As @Bawolff pointed out in https://commons.wikimedia.org/w/index.php?title=Commons:Upload_help&diff=prev&oldid=140107883, the check I had for animating an element's href to a javascript url wasn't effective.

Fix it to blacklist animating attributeName='xlink:href'.


Patch:

  • 1.24: (--3way)
  • 1.23: (--3way)
  • 1.19:

Affected Versions: incomplete fix in patch for T71008 (1.19.19, 1.22.11 and 1.23.4)
Type: xss
CVE: CVE-2015-2932

Event Timeline

csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp set Security to Software security bug.
csteipp added subscribers: csteipp, Bawolff.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 13 2015, 10:14 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: acl*security. · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 14 2015, 12:50 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

The patch works as advertised, but it doesn't go far enough. The specific namespace prefix used doesn't matter, at least not in the browsers I have available (Firefox 34.0 and Chromium 39.0.2171.71).

<svg xmlns="http://www.w3.org/2000/svg" xmlns:y="http://www.w3.org/1999/xlink">
  <a y:href="#">
    <text y="1em">Click me</text>
    <animate attributeName="y:href" values="javascript:alert('Bang!')" begin="0s" dur="0.1s" fill="freeze" />
  </a>
</svg>

Also, BTW, the SVG used in the new unit test doesn't actually work for me in Firefox (it needs an existing href property on the <a>). Not that that makes a difference as far as the unit testing goes.

Nice catch @Anomie!

Updated patch here:

csteipp triaged this task as Medium priority.
csteipp moved this task from Backlog to Needs Review/Feedback on the MediaWiki-Core-Team board.

Updated patch here:

Code review: +1, Looks good, seems to work

This will be released with 1.24.2. All other work is done.

- remove unit tests for UploadBase

csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:16 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.

Change 201013 had a related patch set uploaded (by CSteipp):
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201013

Change 201025 had a related patch set uploaded (by CSteipp):
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201025

Change 201035 had a related patch set uploaded (by CSteipp):
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201035

Change 201013 merged by jenkins-bot:
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201013

Change 201025 merged by jenkins-bot:
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201025

Change 201035 merged by jenkins-bot:
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201035

Change 201219 had a related patch set uploaded (by CSteipp):
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201219

Change 201219 merged by jenkins-bot:
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201219

Use CVE-2015-2932 for this issue involving an incomplete list of

dangerous parts of HTML5. (The list is supposed to include all uses of
'animate attributename="xlink:href"' in SVG documents.)