Fix SVG blacklist for animate
Closed, ResolvedPublic

Description

As @Bawolff pointed out in https://commons.wikimedia.org/w/index.php?title=Commons:Upload_help&diff=prev&oldid=140107883, the check I had for animating an element's href to a javascript url wasn't effective.

Fix it to blacklist animating attributeName='xlink:href'.


Patch:

  • 1.24: (--3way)
  • 1.23: (--3way)
  • 1.19:

Affected Versions: incomplete fix in patch for T71008 (1.19.19, 1.22.11 and 1.23.4)
Type: xss
CVE: CVE-2015-2932

csteipp created this task.Jan 13 2015, 10:14 PM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to Needs Triage.
csteipp set Security to Software security bug.
csteipp added subscribers: csteipp, Bawolff.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJan 13 2015, 10:14 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a project: Security. · View Herald Transcript

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptJan 14 2015, 12:50 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie added a subscriber: Anomie.EditedJan 14 2015, 4:03 PM

The patch works as advertised, but it doesn't go far enough. The specific namespace prefix used doesn't matter, at least not in the browsers I have available (Firefox 34.0 and Chromium 39.0.2171.71).

<svg xmlns="http://www.w3.org/2000/svg" xmlns:y="http://www.w3.org/1999/xlink">
  <a y:href="#">
    <text y="1em">Click me</text>
    <animate attributeName="y:href" values="javascript:alert('Bang!')" begin="0s" dur="0.1s" fill="freeze" />
  </a>
</svg>

Also, BTW, the SVG used in the new unit test doesn't actually work for me in Firefox (it needs an existing href property on the <a>). Not that that makes a difference as far as the unit testing goes.

Nice catch @Anomie!

Updated patch here:

csteipp triaged this task as Normal priority.
csteipp claimed this task.
csteipp moved this task from Backlog to Needs Review/Feedback on the MediaWiki-Core-Team board.
Anomie added a comment.EditedJan 15 2015, 1:52 AM

Updated patch here:

Code review: +1, Looks good, seems to work

csteipp closed this task as Resolved.Jan 20 2015, 11:11 PM

This will be released with 1.24.2. All other work is done.

bd808 moved this task from Done to Archive on the MediaWiki-Core-Team board.Feb 5 2015, 1:58 AM
csteipp updated the task description. (Show Details)Mar 18 2015, 1:12 AM
csteipp added a project: Vuln-XSS.

- remove unit tests for UploadBase

csteipp updated the task description. (Show Details)Mar 24 2015, 11:02 PM
csteipp changed the visibility from "Custom Policy" to "Custom Policy".Mar 31 2015, 12:39 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2015, 9:16 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
csteipp changed Security from Software security bug to None.

Change 201013 had a related patch set uploaded (by CSteipp):
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201013

Change 201025 had a related patch set uploaded (by CSteipp):
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201025

Change 201035 had a related patch set uploaded (by CSteipp):
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201035

Change 201013 merged by jenkins-bot:
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201013

Change 201025 merged by jenkins-bot:
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201025

Change 201035 merged by jenkins-bot:
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201035

Change 201219 had a related patch set uploaded (by CSteipp):
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201219

Change 201219 merged by jenkins-bot:
SECURITY: Fix animate blacklist

https://gerrit.wikimedia.org/r/201219

csteipp updated the task description. (Show Details)Apr 8 2015, 1:58 AM

Use CVE-2015-2932 for this issue involving an incomplete list of

dangerous parts of HTML5. (The list is supposed to include all uses of
'animate attributename="xlink:href"' in SVG documents.)