On 2016-10-29 5:30 PM, Brian Wolff wrote:
On Saturday, October 29, 2016, Daniel Friesen
<daniel(a)nadir-seen-fire.com>
wrote:
And then there is $image. urlpathinfo doesn't
escape quotes,
backslashes, or </script>.
Its hard to find docs on what urlpathinfo actually does (talk about a red
flag for a security mechanism...) but i thought it was basically
rawurlencode, which i think escapes all the relavent characters in this
context as percent encoding.
--
Bawolff
You're right, urlpathinfo does escape '</script> to
%27%3C/script%3E.
I was testing against the DISQUS widget's code which supposedly used
urlpathinfo for its $id parameter:
http://www.mediawikiwidgets.org/w/index.php?title=Widget:DISQUS&action=…
However it turns out that the actual code in the widget was
'<!--{$id|escape:'urlpathinfo '}-->' (there is a space after
urlpathinfo
but before the quote).
So it seems that `|escape:'urlpathinfo'` will safely escape things. But
an extra space in the escape type name will make it an invalid escape
type and when Widgets encounters an invalid escape type, instead of
erroring out and warning you it just ignores the escape entirely and
drops a wide open security hole in your widget.
(That said DISQUS and nearly every other inline script using widget is
still broken even if urlpathinfo worked because just about everyone of
them uses something like '<!--{$url|escape:'quotes'}-->' which
offers no
security because it pretty much only escapes double quotes, leaving BOTH
single quotes and </script> free to inject code)
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]