-
Notifications
You must be signed in to change notification settings - Fork 430
Potential XSS attack with Turbolinks #195
Comments
Thanks for informing us of these issues. For the first one, could we fix it by just removing the hash when checking the link type? Like this: # current - returns false for /sample.csv#hoge.html
nonHtmlLink = (link) ->
link.href.match(/\.[a-z]+(\?.*)?$/g) and not link.href.match(/\.html?(\?.*)?$/g)
# fixed - returns true for /sample.csv#hoge.html
nonHtmlLink = (link) ->
url = removeHash link
url.match(/\.[a-z]+(\?.*)?$/g) and not url.match(/\.html?(\?.*)?$/g) This would fix the example you have in your demo, but would it fix all cases? |
Yeah, check of extension is useful to prejudgment. Some attack vectors will remain.
Wow, I don't want to think for every cases, complicated regexp is meaningless and bad. OK: text/html, application/xhtml+xml, application/xml |
How does this pull request look? |
Hmm, text/html-sandboxed was already removed http://www.w3.org/html/wg/wiki/ChangeProposals/text_html_sandboxed
|
Yeah, nice catch. I updated the PR. Do you think it's sufficient now? |
Very good, no problem at content-type case. I can't judge for content-disposition case. "Content-Disposition: attachment" should be used together with "application/octet-stream". |
Alright, so I guess we'll just stick with the content-type check for now. |
I wrote a patch #197 The redirection by the Rails itself can be prevented. |
This looks good. Would you be willing to consider a few cosmetic suggestions? - def is_sameorigin(a, b)
+ def same_origin?(a, b)
a = URI.parse(a)
b = URI.parse(b)
- a.scheme + a.host + a.port.to_s == b.scheme + b.host + b.port.to_s
+ [a.scheme, a.host, a.port] == [b.scheme, b.host, b.port]
end
def abort_xdomain_redirect
to_uri = response.headers['Location'] || ""
current = request.headers['X-XHR-Referer] || ""
- if (!to_uri.empty? && !current.empty? && !is_sameorigin(current, to_uri))
+ unless to_uri.blank? || current.blank? || same_origin?(current, to_uri)
self.status = 403
end
end |
Thanks for your help. I just updated pullreqest. |
I just pulled it in. Thanks again for pointing out these security issues and helping us resolve them. |
It looks like the restriction of using
Applications serving user-uploaded html files and issuing |
There are potential XSS attack vectors with turbolinks,
Demo: http://mala-mala.sqale.jp/turbolinks_xss/
"restrict to same origin" policy is not enough in some cases.
Some pjax approach framework e.g. jQuery Mobile also contains this problem.
Currently, custom header + cross origin redirect works only with IE10.
However, this is right action based on the specification of CORS.
For the moment, there is no effective method to detecting cross origin redirection.
How to fix
The text was updated successfully, but these errors were encountered: