Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix XSS in debugger #1001

Closed
wants to merge 1 commit into from
Closed

Fix XSS in debugger #1001

wants to merge 1 commit into from

Conversation

neargle
Copy link
Contributor

@neargle neargle commented Aug 31, 2016

The exc and plaintext_cs variable, XSS has been the defense. But the plaintext didn't do that.

def render_full(self, evalex=False, secret=None,
                    evalex_trusted=True):
        """Render the Full HTML page with the traceback info."""
        exc = escape(self.exception) # the exception info use the escape method
        return PAGE_HTML % {
            'evalex':           evalex and 'true' or 'false',
            'evalex_trusted':   evalex_trusted and 'true' or 'false',
            'console':          'false',
            'title':            exc,
            'exception':        exc,
            'exception_type':   escape(self.exception_type),
            'summary':          self.render_summary(include_title=False),
            'plaintext':        self.plaintext, # the plaintext did not use the escape method
            'plaintext_cs':     re.sub('-{2,}', '-', self.plaintext),
            'traceback_id':     self.id,
            'secret':           secret
        }

it make the debug page can be XSS.

For example:

@untitaker untitaker self-assigned this Aug 31, 2016
@ThiefMaster ThiefMaster changed the title fix the bug of debug page can be XSS Fix XSS in debugger Aug 31, 2016
@untitaker untitaker closed this in 1034edc Aug 31, 2016
@untitaker
Copy link
Contributor

Thanks, 0.11.11 is released!

In general we'd prefer private disclosure for security issues though.

psivesely pushed a commit to freedomofpress/securedrop that referenced this pull request Aug 31, 2016
Update Python dependencies before 0.3.9-rc2
5bd48ea 
Normally, we're hesistant to issue an update for dependencies when we've already
entered the release candidate(s) stage of the release process. In this case, the
changes I'm adding are all minor bug fixes that I've reviewed. Two of the fixes
were labeled as security issues, however, they don't really affect us as
explained below.

* Werkzeug
  * A bug that allowed XSS attacks on the debug page has been fixed (we
    don't run Flask in debug mode in production) -
    pallets/werkzeug#1001
  * Invalid Content-Type makes for parsing throw ValueError exception (the fix
    returns an invalid request 400 Bad Request page instead of an internal
    server error when the content-type field of a HTTP request is bad--such as
    ' ' or ',') - pallets/werkzeug#995
  * Raise BadRequestKeyError instead of IndexError in MultiDict when calling
    __getitem__ on a key with an empty associated list of values (Flask returns
    forms and query strings as MultiDicts. This is just better error-handling,
    no real bug being fixed here.) -
    pallets/werkzeug#979

* pytop
  * The string comparison function now no longer leaks string length (shouldn't
    affect SD because the length of our TOTP codes are already known) -
    pyauth/pyotp#28
@psivesely psivesely mentioned this pull request Aug 31, 2016
Merged
@neargle
Copy link
Contributor Author

neargle commented Sep 1, 2016

I'm very sorry, but I don't find a private disclosure way for that.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@untitaker untitaker

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@neargle @untitaker