Fix for CVE-2008-3422

svn path=/branches/mono-1-2-5/mcs/; revision=110144
mono · Aug 11, 2008 · 49c9dba · 49c9dba
1 parent 9751298
commit 49c9dba
Show file tree

Hide file tree

Showing 11 changed files with 62 additions and 11 deletions.
diff --git a/mcs/class/System.Web/System.Web.UI.HtmlControls/ChangeLog b/mcs/class/System.Web/System.Web.UI.HtmlControls/ChangeLog
@@ -106,6 +106,16 @@
 	* HtmlForm.cs: ignore user provided 'onsubmit' for HtmlForm. See
 	bug #76974.
 
+2008-07-25  Dean Brettle <dean@brettle.com>
+
+ 	* HtmlControl.cs (PreProcessRelativeReference), 
+ 	HtmlForm.cs (RenderAttributes), HtmlInputButton (RenderAttributes),
+ 	HtmlInputRadioButton (RenderAttributes), HtmlSelect (RenderChildren):
+ 	Encode attributes that could contain HTML special chars.
+
+ 	* HtmlSelect (RenderChildren): HTML-encode option text.
+	* Fix for CVE-2008-3422
+
 2006-11-27  Igor Zelmanovich  <igorz@mainsoft.com>
 
 	* HtmlForm.cs: refactoring: Registering of client scripts

diff --git a/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlControl.cs b/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlControl.cs
@@ -90,7 +90,7 @@ internal void PreProcessRelativeReference(HtmlTextWriter writer, string attribNa
 					catch (Exception) {
 						throw new HttpException(attribName + " property had malformed url");
 					}
-					writer.WriteAttribute(attribName, attr);
+					writer.WriteAttribute(attribName, attr, true);
 					Attributes.Remove(attribName);
 				}
 			}

diff --git a/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlForm.cs b/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlForm.cs
@@ -271,7 +271,7 @@ protected override void RenderAttributes (HtmlTextWriter w)
 				w.WriteAttribute ("name", Name);
 
 			w.WriteAttribute ("method", Method);
-			w.WriteAttribute ("action", action);
+			w.WriteAttribute ("action", action, true);
 
 			if (ID == null) {
 				/* If ID != null then HtmlControl will

diff --git a/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlInputButton.cs b/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlInputButton.cs
@@ -286,7 +286,7 @@ protected override void RenderAttributes (HtmlTextWriter writer)
 				}
 
 				if (onclick.Length > 0) {
-					writer.WriteAttribute ("onclick", onclick);
+					writer.WriteAttribute ("onclick", onclick, true);
 					writer.WriteAttribute ("language", "javascript");
 				}
 			}
@@ -302,7 +302,7 @@ protected override void RenderAttributes (HtmlTextWriter writer)
 
 				if (oc != null) {
 					writer.WriteAttribute ("language", "javascript");
-					writer.WriteAttribute ("onclick", oc);
+					writer.WriteAttribute ("onclick", oc, true);
 				}
 			}
 #endif

diff --git a/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlInputRadioButton.cs b/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlInputRadioButton.cs
@@ -126,7 +126,7 @@ protected override void RenderAttributes (HtmlTextWriter writer)
 			if (Page != null)
 				Page.ClientScript.RegisterForEventValidation (this.UniqueID, Value);
 #endif
-			writer.WriteAttribute ("value", Value);
+			writer.WriteAttribute ("value", Value, true);
 			Attributes.Remove ("value");
 			base.RenderAttributes (writer);
 		}

diff --git a/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlSelect.cs b/mcs/class/System.Web/System.Web.UI.HtmlControls/HtmlSelect.cs
@@ -668,10 +668,10 @@ override void RenderChildren (HtmlTextWriter w)
 					}
 				}
 
-				w.WriteAttribute ("value", item.Value);
+				w.WriteAttribute ("value", item.Value, true);
 				w.Write (HtmlTextWriter.TagRightChar);
 
-				w.Write (item.Text);
+				w.Write (HttpUtility.HtmlEncode(item.Text));
 				w.WriteEndTag ("option");
 				w.WriteLine ();
 

diff --git a/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/ChangeLog b/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/ChangeLog
@@ -2,6 +2,13 @@
 
 	* HtmlSelectTest.cs: updated tests to use HtmlDiff
 
+2008-07-27  Dean Brettle <dean@brettle.com>
+
+	* HtmlInputButtonTest.cs, HtmlImageTest.cs, HtmlFormTest.cs, 
+	HtmlInputRadioButtonTest.cs, HtmlSelectTest.cs:	Added tests 
+	for HTML-encoded of attributes. 
+	* Fix for CVE-2008-3422
+
 2006-11-13  Igor Zelmanovich  <igorz@mainsoft.com>
 
 	* HtmlContainerControlTest.cs: added new tests

diff --git a/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlImageTest.cs b/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlImageTest.cs
@@ -118,13 +118,13 @@ public void RenderAttributes ()
 			img.Alt = "*2*";
 			img.Border = 3;
 			img.Height = 4;
-			img.Src = "*5*";
+			img.Src = "*5<&*";
 			img.Width = 6;
 
 			Assert.AreEqual (6, img.Attributes.Count, "Attributes.Count");
 
 			HtmlTextWriter writer = img.GetWriter ();
-			Assert.AreEqual (" src=\"*5*\" align=\"*1*\" alt=\"*2*\" border=\"3\" height=\"4\" width=\"6\" /", writer.InnerWriter.ToString ());
+			Assert.AreEqual (" src=\"*5&lt;&amp;*\" align=\"*1*\" alt=\"*2*\" border=\"3\" height=\"4\" width=\"6\" /", writer.InnerWriter.ToString ());
 		}
 	}
 }
diff --git a/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlInputButtonTest.cs b/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlInputButtonTest.cs
@@ -164,6 +164,28 @@ public void OnClickAttribute ()
 			Assert.IsTrue (found >= 0, "#02");
 		}
 
+		[Test]
+		public void OnClickAttributeWithSpecials ()
+		{
+			StringWriter sw = new StringWriter ();
+			HtmlTextWriter tw = new HtmlTextWriter (sw);
+
+			HtmlInputButtonPoker p = new HtmlInputButtonPoker ();
+			p.Page = new Page ();
+			p.Attributes["onclick"] = "alert('<&');";
+			p.DoRenderAttributes (tw);
+			string str = sw.ToString ();
+			int found = str.IndexOf ("alert('&lt;&amp;');");
+			Assert.IsTrue (found >= 0, "#01");
+			p.ServerClick += new EventHandler (EmptyHandler);
+			sw = new StringWriter ();
+			tw = new HtmlTextWriter (sw);
+			p.DoRenderAttributes (tw);
+			str = sw.ToString ();
+			found = str.IndexOf ("alert('&lt;&amp;');");
+			Assert.IsTrue (found >= 0, "#02" + str);
+		}
+
 		private static void EmptyHandler (object sender, EventArgs e)
 		{
 		}

diff --git a/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlInputRadioButtonTest.cs b/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlInputRadioButtonTest.cs
@@ -236,9 +236,9 @@ public void RenderValue1 ()
 			rb.ID = "id";
 			string attrs = rb.RenderAttributes ();
 			Assert.IsTrue (attrs.IndexOf ("value=\"id\"") >= 0);
-			rb.Value = "hola";
+			rb.Value = "hola<&";
 			attrs = rb.RenderAttributes ();
-			Assert.IsTrue (attrs.IndexOf ("value=\"hola\"") >= 0);
+			Assert.IsTrue (attrs.IndexOf ("value=\"hola&lt;&amp;\"") >= 0);
 		}
 
 #if NET_2_0

diff --git a/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlSelectTest.cs b/mcs/class/System.Web/Test/System.Web.UI.HtmlControls/HtmlSelectTest.cs
@@ -479,5 +479,17 @@ public void DataBindDoubleCall ()
 			HtmlDiff.AssertAreEqual (exp, s.Render (), "DataBindDoubleCall");
 		}
 
+		[Test]
+		public void HtmlEncodeValues ()
+		{
+			TestHtmlSelect s = new TestHtmlSelect ();
+			s.DataSource = new string [] { "&", "<" };
+			s.DataBind ();
+			string exp = @"<select name>
+	<option value=""&amp;"">&amp;</option>
+	<option value=""&lt;"">&lt;</option>
+</select>";
+			HtmlDiff.AssertAreEqual (exp, s.Render (), "HtmlEncodeValues");
+		}
 	}
 }