New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use encoded URLs for searchSuggestionHtml #721
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unit tests are broken and it seems you PR encode & URL sepearator and it should not.
Codecov Report
@@ Coverage Diff @@
## master #721 +/- ##
=======================================
Coverage 57.81% 57.81%
=======================================
Files 56 56
Lines 3651 3651
Branches 2047 2047
=======================================
Hits 2111 2111
Misses 1539 1539
Partials 1 1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if this is the right place to secure the url. At least we already have a function to url encode a string (urlEncode), we should use it.
But nice catch anyway.
48d6916
to
6dbd859
Compare
Previously, the seachURL was not encoded. This resulted in an XSS vulnerability, a concept of proof is: start kiwix-serve visit - http://192.168.18.1:8081/"><svg onload="alert(1)"> This would display an alert message. This encodes the searchURL before passing it to searchSuggestionHtml
|
@legoktm I don't know, but I would guess for an old weakness |
|
#465 |
|
Thanks, so a597870 was only included in 10.0.0 (no released Debian versions are affected, just unstable). Could we do a 10.0.2 release with just this cherry-picked? I note that even library.kiwix.org is vulnerable to this. Or if 10.1.0 is coming pretty soon then waiting wouldn't be too bad. And we should also get a CVE ID assigned for this vulnerability, @kelson42 if you haven't gone through this process before I'm happy to help out. |
|
@legoktm Thx for your last comment. For the moment I don’t have a strong opinion on this but understand the rationals. It seems as well your have a clearer opinion on the next release than I do. But, considering this PR to be closed, could you please open a new ticket with this arguments and why you woukd like to request early release of 10.1.0? |
Previously, the seachURL was not encoded.
This resulted in an XSS vulnerability, a concept of proof is:
start kiwix-serve
visit -
http://192.168.18.1:8081/"><svg onload=alert(1)>This would display an alert message.
This encodes the searchURL before passing it to searchSuggestionHtml