Fix an instance of xss #677
Conversation
|
The Mink test suite passes, but since file is located in driver test suite, then each driver needs to use it and pass as well. |
|
Yeah, the Mink testsuite itself does not rely on these files at all. |
|
So...if I patched the instances that seem clearly like XSS would that be OK to merge or are there other people we should ping to get their feedback on these changes (at least advise them it's coming)? |
|
This is some rather interesting code ;) I'm pretty sure the htmlspecialchars on the file contents will break some uses of that form, but I have a hard time imagining the purpose of that form. When trying to sanitize synthetic code it seems natural that the outputs will be rather synthetic as well - as long as the behavior is well known it seems fine for any consuming code to modify itself to be more synthetic as well. |
|
@greggles try running the MinkSelenium2Driver testsuite using this modified version of the testsuite (start the webserver in the modified version rather than the current version of fixtures) to see whether the driver testsuite still works |
| @@ -13,11 +13,15 @@ | |||
| } | |||
|
|
|||
| $_POST['agreement'] = isset($_POST['agreement']) ? 'on' : 'off'; | |||
| foreach ($_POST as $key => $value) { | |||
| unset($_POST[$key]); | |||
| $_POST[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); | |||
There was a problem hiding this comment.
rather than replacing $_POST, I would rather use a separate array if we go this way
|
Sadly I'm not currently setup to run MinkSelenium2Driver. Not sure I'll be able to do it. |
|
@greggles this is not complex: you just need to have java and firefox installed locally, and to download the selenium jar (well, you also need to clone the driver repo and run |
|
@stof, maybe we should explain on each driver repo page how to setup local development in detail. For Selenium it would be:
|
|
@aik099 this would be a good idea |
|
I've created corresponding tasks in each driver repo so we don't forget to do this at some point. |
| ksort($_POST); | ||
| echo str_replace('>', '', var_export($_POST, true)) . "\n"; | ||
| foreach ($_POST as $key => $value) { | ||
| $post_for_printing[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); |
There was a problem hiding this comment.
this is broken in case the value is an array (for a multiple select for instance)
|
Another solution for most cases: exclude the testsuite from the archives; as they aren't needed for other projects, right? See #691 |
|
This would only help if archives are used for install this package. |
|
Yes, which is most cases. Not saying you shouldn't fix this issue also :) |
|
Absolutely (about issue needs to be fixed). I saw people using Mink for crawling purposes in which case tests might end up in production as well. Unfortunately @greggles seems to have abandoned this PR (I see no changes requested during code review being made). |
|
As for implementation to avoid massive code duplication I'm proposing to create a function like
Then we can make this function available across test suite (e.g. via Composer's |
|
But the tests are autoload only in dev, so that wouldn't work properly right? Imho package specific tests are not public API and should not be relied upon. |
|
Ah, you're right, that |
|
Okay, so removing the driver-testsuite isn't an option apparently, so I suggest it either gets moved to a seperate issue soonish, or the XSS gets fixed (also soonish ;)) |
|
As I've mentioned before issue fixing is the right way, but PR author has abandoned it. If you're willing you can create your PR, that will replace this one. |
|
I have zero knowledge of Mink. I just find it odd that a XSS issue is known for months, but no action is taken by the maintainers of this repo, even if the person who reported it abandoned the issue. |
|
@barryvdh the question is why you are installing vendors inside the webroot though. |
|
I'm not, but you need to ask Drupal that ;) |
|
I just tried to address the feedback on the PR. Scrutinizer has said 2 new style issues were introduced, but when I look at their website it seems the issues are in files that were not modified in this PR, so I'm not sure what needs to be fixed (probably I can't read that output). I don't use Mink. I was trying to fix a bug that affected Drupal 8 (which I also don't currently use). It doesn't feel great to hear comments that I abandoned this, but it is accurate that I stopped working on it. I'd say the reason I stopped working was 2 fold:
Guides for new contributors would help to lower the barrier. Seems there's been no progress on those? If you could automatically run the tests you're asking me to run that would also lower the barrier. |
|
BTW, Drupal includes it in the webroot because that's how most people who download Drupal expect to use the file they've downloaded: Extract a tarball it into the webroot and installation is done. I know that's considered by "modern" php folks to be an outdated philosophy, but it's the reality that most people running PHP sites expect. There aren't (yet) any good guides about how to modify an installation to move vendor outside the webroot. |
Sorry about that, but when you realized that you won't be able to continue with a PR development I recommend informing maintainers so that they can reassign it to another contributor. In this case you haven't replied at all (for 5 months) and maintainers (including me) had no idea if PR is abandoned or just delayed. |
That may happen due the fact, that used standard have changed since last inspection was run and therefore errors on non-changed files were raised. You can safely ignore those.
I see.
As a maintainer I'm a bit biased, but I do understand that it's hard to get new contributors on board due specifics of installing the software.
Unfortunately. I guess we (as maintainers) are expecting for somebody else to change the guidelines as they see fit to make contribution easier.
I can. Please made necessary changes and at least make sure there are no PHP syntax errors. |
|
I fixed the syntax error - sorry about that. I don't currently plan to work more on this PR. |
|
Closing in favor of #694 , where I've applied all code from this PR and improved it further to reduce duplication in escaping code. |
|
@aik099 Thanks for finishing this! |
|
You're welcome. At least now people having |
Hi,
There's an xss issue in https://github.com/minkphp/Mink/blob/master/driver-testsuite/web-fixtures/issue130.php
That issue was highlighted in an email to full disclosure at http://seclists.org/fulldisclosure/2015/Oct/42
The Drupal project attempts to solve this xss issue with an .htaccess file, but that's not very reliable. Another solution is to keep Mink code outside of the webroot, but that's not always possible on all servers.
It would be ideal, in my opinion, to just filter the text.
I did a quick grep to look for other similar problems and it seems there are some:
I didn't look into fixing any more of them.