Possible problem with nicknames that hold a blind attack in their screenname #9538
Comments
|
Thank you for your report, however the screenshot posted by @Quix0r doesn't enable me to figure out what the issue is exactly. It's too small and the full size version at https://f.haeder.net/photos/roland/image/11321985875fb2d51dacd11566303811 is inaccessible to me. I'll have to replicate the behavior with the same display name |
|
Hi, Indeed that is the nick on my profile. The person trying to accept my connection might be able to inform you about the exact error. Should not be to hard to fix but I recommend to fix it in a general filter used globally at every filtering point. I broke sites hard with this and some sql code. |
|
We have enabled filtering in templates by default since 6d90d35 and we've worked since to exempt variables purposefully containing HTML snippets which display names don't qualify as. So I'm surprised this display name could have broken anything. We don't use display names in any inconspicuous place that I can think of, you can see that it displays perfectly fine at the top of the page since it's in a large header font. So I'm not entirely convinced it broke anything by itself based on the previous commit and the poor quality screenshot, can you please try to follow my development account: |
|
Done |
|
Thank you! |
|
Ha, I see a spot where it doesn't show as expected, in the notifications dropdown. Nothing wrong in the contact request screen but I'm using a different theme as @Quix0r. |
|
Ah, cool. Maybe the person I invited can have a closer look. I was suprised to see his message, maybe the German language settings are messing with it too? I asked him to send in a report. |
|
Now I fully see the issue. In both cases, we interpolate the display name of users in HTML snippets that we subsequently display as is in templates. Thank you so much for bringing this issue to our attention! |
|
Nice, if you give me a message when it is solved then I will boost it to help people update. Thanks |
|
Do I see correctly that the friendica_test_data.sql holds test data for a new install? I see some other issues we might need to explore. |
|
It doesn't, the installer creates an empty database before the first user is created. This test data is stale and unused in Friendica. Thanks for looking though! |
|
Hmm, would have been great. Might just setup a raspi and see what it does with a real hostname. |
|
You're welcome to do so, please follow the regular installation procedure. @tobiasd may have some wisdom to offer you about an install on a Raspberry Pi if you're encountering specific issues. |
|
The Installation on a RasPi is more or less just the normal installation. You maybe need to ignore a warning in the admin panel about some MySQL settings (or only apply the suggested value with a lower value). And the worker settings / max LOAD etc. need to be adopted a bit for the constrains of the small box. |
|
@MrPetovan : The image is marked as public, I checked its settings. |
|
Can you access the image directly? https://f.haeder.net/photo/11321985875fb2d51dacd11566303811-1.png?_u=210102044236 |
|
This looks like a reduced size version, what about with a |
When people from Friendica get a request to connect from a specially crafted nickname it messes up the template:
https://f.haeder.net/display/adbba6c6-145f-b2d5-36b5-dbf024802469
In this case the name is being crafted with:
The nick belongs to me. It is a part of a simple test to see if it is possible to insert a blind attack to a site. Might need to be filtered properly or fixed in the template checks
The text was updated successfully, but these errors were encountered: