filter ascii control chars for backspace

[sqlalchemy-bot]

Migrated issue, originally created by jvanasco (@jvanasco)

I've opened a ticket/PR with Markupsafe for this, but wanted to alert Mako on this too as addressing this behavior may be warranted on other filters.

Most Python libraries for form validation or text sanitizing will let ASCII control characters through. If they make it to Mako, they are rendered in the template as-is, and wind up in web browsers as non-printing characters.

That allows a malicious actor to carefully construct a payload such as this:

import y\bose\bm\bi\bt\be\b 

which looks like this on an HTML page:

import yosemite

However all the backspace control characters are in there and will copy/paste into a Python/ruby/etc terminal, where they are interpreted in realtime and become...

import os

If Mako is used as the engine on a coding website or bug reporting system, this introduces a way of tricking users into executing seemingly safe code that is actually malicious.

[sqlalchemy-bot]

Michael Bayer (@zzzeek) wrote:

did you confirm this for mako ?

[sqlalchemy-bot]

jvanasco (@jvanasco) wrote:

Yeah. Only the url-encoding filter will escape it, turning \x08 into %08.

here's an illustration:

PRINT_RAW = True
from mako.template import Template
bad_string = 'a\bc'
filters = (None,
           'u',
           'h',
           'x',
           'trim',
           'entity',
           'unicode',
           'decode.utf8',
           'n',
           )
for filter in filters:
    template_string = """%s ${bad_string%s}""" % (filter, '|%s' % filter if filter else '')
    rendered = Template(template_string).render(bad_string=bad_string)
    print "%s escapes \\b: %s" % (filter, False if '\b' in rendered else True)
    if PRINT_RAW:
        print rendered.__repr__()
        print "--"

note that I'm using __repr__() -- the print function will invoke the backspace control on the regular string in a console, and you'd just see c instead of a\x08c.

[sqlalchemy-bot]

Michael Bayer (@zzzeek) wrote:

i've got no resources to put thought into Mako these days, I've long wanted it to have anew maintainer. What is markupsafe doing?

[sqlalchemy-bot]

jvanasco (@jvanasco) wrote:

markupsafe has a Ticket+PR-candidate pending (no comment on either yet). if they address it, Mako should be fine via the default html escaping.

A small amount of Python (and other language) projects filter this out on form submission or rendering. I was surprised at how many websites allow this though.

I don't see a need this to be actively addressed in a filter. Perhaps a doc? It really only effects people who use mako in a bug tracker or coding site.

[bourke]

Noting that the MarkupSafe ticket has been closed without a resolution: pallets/markupsafe#71