Fix XSS caused by invalid utf8. #11
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes an XSS in the use of `g_markup_escape_text`, which doesn't properly escape input if it's not valid utf8. Since nulls are also forbidden by `g_utf8_validate`, don't try to deal with them either.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Here's a rather interesting bug I found with the the help of american fuzzy lop. Stick the following into a view and observe an XSS:
@user\xF4<b>xss\xFA</b>and"url":/page\xF4">x\xFA<b>xss\xFA</b>are similar exploits.The issue is that
g_markup_escape_textis used for escaping html, but this function assumes the input is valid utf8. When given invalid utf8 it goes haywire. Specifically,\xFAis an invalid leading byte, which seems to cause the function to copy the next few bytes unescaped until it resynchronizes with the utf8 stream.The fix I went with is to raise an exception if the input isn't valid utf8. I also removed some stuff that tries to handle nulls since
g_validate_utf8forbids those too. AFAICT the purpose of this code was to close any unclosed tags when EOF is reached, but that's redundant sinceparse_helpercallsdstack_closeanyway.In practice, postgres doesn't allow text fields to contain invalid utf8 or nulls to begin with, so in the real world this doesn't seem possible to trigger.