-
Notifications
You must be signed in to change notification settings - Fork 709
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple XSS Fixes #1094
Multiple XSS Fixes #1094
Conversation
$_SERVER['PHP_SELF'] is not sanitized before being used to generate URLs.
@vboctor |
even if we may discuss to do any code clean up, it shouldn't set back integration of this fix |
@quantumpacket thanks for reporting this. In the future, kindly follow our guidelines for security issues reporting to avoid early public disclosure, see http://www.mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems
For the record, we're not using |
@@ -79,14 +79,14 @@ | |||
|
|||
echo '<div class="btn-group">'; | |||
$t_url_params['days'] = $f_days + 7; | |||
$t_href = $t_url_page . '?' . http_build_query( $t_url_params ); | |||
$t_href = htmlspecialchars( $t_url_page, ENT_QUOTES, 'UTF-8' ) . '?' . http_build_query( $t_url_params ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Escaping should be done via string_attribute() API function.
Can you explain the rationale for using ENT_QUOTES vs the default of ENT_COMPAT ?
Also, is there a reason to force UTF-8 charset ? (for the record, this is the default since PHP 5.4)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally always use ENT_QUOTES
when it's not directly being output in the HTML string, but being set as a variable somewhere else, because I don't want to run into a situation where the HTML format is changed and quoting could accidentally end up no longer being escaped. As for the UTF-8, I should have checked the packages minimum supported versions. I don't use MantisBT, so not really familiar with it at all. I'm just reporting this, how you guys go about fixing it is up to you. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clarification.
Isn't it enough to change just at this single place?
|
It would be easier to do that, but you really should be doing the sanitizing as close to the output line as possible, so that you can rest assure that the variable being used is safe.
I'd recommend that you link to that in the README. Having it buried in a Wiki on the website is not very likely to be stumbled upon in this repository. I'd have gone that route if it was more obvious that there was a security procedure in place. I've never used MantisBT and this was my first time even visiting this repository. Please accept my apology. :) |
Good suggestion, I'll take care of it.
No worries 😄 |
|
I did not request a CVE, so feel free to get one. For credits, I guess just use my Github account? Thanks, and great work on getting this fixed quickly. 😃 |
CVE-2017-7897 has been assigned. |
$_SERVER['PHP_SELF']
is not sanitized before being used to generate URLs.Yes, we have a CSP policy in place, but it can be disabled optionally per application config, and does not include prefixed headers so IE 10/11 would be susceptible as they use
X-Content-Security-Policy
according to CanIUse.PoC:
/view_user_page.php/"><script>alert(1)</script><x
http://www.mantisbt.org/bugs/view.php?id=22742