Requesting more details on GHSA-fqx8-v33p-4qcc (CVE-2022-23638) #71
Comments
ohader
changed the title
|
@ohader you're correct. The concern here was that any of the following tags will cause the HTML parser to break out of foreign content and back into HTML.
As per: https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inforeign Specifically this line was causing me issues: <p/><![CDATA[ ><img src onerror=alert(1)> ]]>DOMDocument was picking the img tag up as a DOMComment node with the following content, which led me to remove comments and CDATA so that this got stripped. ><img src onerror=alert(1)>I'm happy to consider adding CDATA back in, but we need to be sure that there's no easy bypass. Maybe we should consider extending the tests in this area. |
reviewtypo3org
pushed a commit
to TYPO3/typo3
that referenced
this issue
Feb 21, 2022
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
reviewtypo3org
pushed a commit
to TYPO3/typo3
that referenced
this issue
Feb 21, 2022
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73628 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
reviewtypo3org
pushed a commit
to TYPO3/typo3
that referenced
this issue
Feb 21, 2022
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73627 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3IncTeam
pushed a commit
to TYPO3-CMS/core
that referenced
this issue
Feb 21, 2022
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3IncTeam
pushed a commit
to TYPO3-CMS/core
that referenced
this issue
Feb 21, 2022
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73628 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3IncTeam
pushed a commit
to TYPO3-CMS/core
that referenced
this issue
Feb 21, 2022
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73627 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems tag
0.15.0addressed a security vulnerability, see corresponding advisory GHSA-fqx8-v33p-4qcc (CVE-2022-23638)Corresponding commit at 17e12ba contains a new test case
tests/data/htmlTest.svg.Invoked as
svg.svgin browser, mime-typeimage/svg+xml→ no problem since
<img>is not a SVG element-> not a vulnerability
Invoked as
svg.htmlin browser, mime-typetext/htm→ valid concern, since HTML is used in inline SVG
→ scripts are executed in browser
→ cross-site scripting vulnerability
Conclusion & Post-review
<img>) seems to be fine, see https://developer.mozilla.org/en-US/docs/Web/SVG/Element#cdataand#commentnodes seems to be superfluous and leads to regressions like in CDATA section is removed #70Request
The text was updated successfully, but these errors were encountered: