New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reproducer for CVE-2020-26298? #700
Comments
@utkarsh2102 I do, contact me at my Matrix address: |
Thanks, Johan. You should have an email from my end. Please let me know if you did not receive any. |
Got is and replied. |
Hi again @robin850 and @johan-smits, I hit an obstacle. I am trying to backport this patch to Debian Jessie (ELTS) where the version of
..which is obvious, because it was added in later versions (right?). Do you have any alternative in mind? Maybe if the code in the patch sanctioned is good (just the |
@utkarsh2102 I personally was not involved in the patch and only in reporting the issue. So you have wait for @robin850 or someone else. |
Aah, sure! @robin850, whenever you have time, could you please take a look at it? |
Hello,
Upon taking a more thorough look, it seems like the code in So I am inclined towards just backporting the main code and not the tests. Alternatively, is there a way to rewrite the tests in such a way that doesn't use the |
Oh wait, I was badly mistaken. The way to call the Thanks in advance! :) |
I tried the following diff:
but it failed with:
Probably I am running in circles, heh. Best to wait for @robin850 here! :) |
Aaaaaaaaaaaaaaah! I made some progress:
With this, the tests pass. But, it looks like |
Okay, sorry for the spam. But lastly, I guess So just the first element of the hash seems to be working, sigh. |
Hello there, sorry for the late reply !
Yes, it looks like it has been added in version 3.3.0. The problem raised in your last message is due to the fact that enabled = Redcarpet::Markdown.new(
Redcarpet::Render::HTML.new(escape_html: true), quote: true)
disabled = Redcarpet::Markdown.new(Redcarpet::Render::HTML, quote: true)
text = 'We are not "<svg/onload=pwned>"'
output_enabled = enabled.render(text)
output_disabled = disabled.render(text)
assert_equal "<p>We are not <q><svg/onload=pwned></q></p>", output_enabled
assert_equal "<p>We are not <q><svg/onload=pwned></q></p>", output_disabled (Actually, maybe this test would be in a better place in the renderer's test file 🤷♂️ ) I wasn't aware that such old versions of Redcarpet could still be in the wild. Feel free to ask if you still have troubles ; I will try to answer a bit more quickly. |
Hi @robin850 o/
Wow, aren't you just amazing? 😭
Oh yeah, actually I help maintain But thank you so much for your help! ❤️ |
Hello @robin850,
I am taking a look at CVE-2020-26298, which is fixed by a699c82. But I am not sure how to reproduce the issue or anything.
Do you happen to have the POC as well?
CC: @johan-smits :)
The text was updated successfully, but these errors were encountered: