[DRE-maint] Bug#774748: patch

Cédric Barboiron ced at winkie.fr
Tue Feb 10 14:16:12 UTC 2015 

Hi,

I've tried to write a patch for the very specific issue in this CVE.
The regex used is derived from the one used in redmine
(https://github.com/redmine/redmine/blob/master/lib/redcloth3.rb#L818).

Package built with this patch (in pbuilder) and succesfully tested against the
PoC in http://co3k.org/blog/redcloth-unfixed-xss-en

As a side note, I would not be able to patch redcloth for a more complex issue
or anything in the ragel layer.

Regards
-------------- next part --------------
Description: fix for CVE-2012-6684
Author: Cédric Barboiron <ced at winkie.fr>

--- a/lib/redcloth/formatters/html.rb
+++ b/lib/redcloth/formatters/html.rb
@@ -111,14 +111,17 @@
   end
   
   def link(opts)
-    "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>"
+    href = escape_uri(escape_attribute(opts[:href]))
+    "<a href=\"#{href}\"#{pba(opts)}>#{opts[:name]}</a>"
   end
   
   def image(opts)
     opts.delete(:align)
     opts[:alt] = opts[:title]
-    img = "<img src=\"#{escape_attribute opts[:src]}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />"  
-    img = "<a href=\"#{escape_attribute opts[:href]}\">#{img}</a>" if opts[:href]
+    src = escape_uri(escape_attribute(opts[:src]))
+    href = escape_uri(escape_attribute(opts[:href])) if opts[:href]
+    img = "<img src=\"#{src}\"#{pba(opts)} alt=\"#{escape_attribute opts[:alt].to_s}\" />"
+    img = "<a href=\"#{href}\">#{img}</a>" if href
     img
   end
   
@@ -267,6 +270,22 @@
   def escape_attribute(text)
     html_esc(text, :html_escape_attributes)
   end
+
+  # fix for CVE-2012-6684
+  def escape_uri(uri)
+    # escape only if filter_html is enabled
+    return uri unless filter_html
+
+    # accept every scheme://*
+    # allow only mailto:*
+    # accept all other uri
+    m = %r{^([a-zA-Z]+):(?!//)}.match uri
+    return uri unless m && m[1] != 'mailto'
+
+    # unwanted uri (e.g. javascript:*)
+    # prefix by '#'
+    '#' << uri
+  end
   
   def after_transform(text)
     text.chomp!
--- a/spec/fixtures/filter_html.yml
+++ b/spec/fixtures/filter_html.yml
@@ -175,3 +175,18 @@
 ---
 in: /me <3 beer
 filtered_html: <p>/me <3 beer</p>
+---
+name: CVE-2012-6684
+in: |-
+  ["clickme":javascript:alert(%27XSS%27)]
+filtered_html: <p><a href="#javascript:alert(%27XSS%27)">clickme</a></p>
+---
+name: legit http link
+in: |-
+  ["clickme":http://example.com]
+filtered_html: <p><a href="http://example.com">clickme</a></p>
+---
+name: legit mailto link
+in: |-
+  ["clickme":mailto:user at example.com]
+filtered_html: <p><a href="mailto:user at example.com">clickme</a></p>

More information about the Pkg-ruby-extras-maintainers mailing list