Bug 522802 (CVE-2009-2937)
| Summary: | CVE-2009-2937 planet: Insufficient escaping of input feeds | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | eteo, jlieskov |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-19 09:03:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Tomas Hoger
2009-09-11 14:29:22 UTC
Patch proposed in the Debian bug report:
--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
# utility method to be called by descendants
attrs = [(k.lower(), v) for k, v in attrs]
attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in attrs]
+
+ for i in xrange (len (attrs)):
+ k,v = attrs[i]
+ if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" ) <> -1 ):
+ del attrs[i]
+
return attrs
def unknown_starttag(self, tag, attrs):
people who leave js on deserve what they get. I'll add the patch to our planet package build Quick question - this is just against planetplanet software.
planet.fedoraproject.org is running venus not planet. I read through venus to see where it sanitizes inputs it specifically has:
# Sanitize the +html+, escaping all elements not in ALLOWED_ELEMENTS, and
# stripping out all # attributes not in ALLOWED_ATTRIBUTES. Style
# attributes are parsed, and a restricted set, # specified by
# ALLOWED_CSS_PROPERTIES and ALLOWED_CSS_KEYWORDS, are allowed through.
# attributes in ATTR_VAL_IS_URI are scanned, and only URI schemes specified
# in ALLOWED_PROTOCOLS are allowed.
#
# sanitize_html('<script> do_nasty_stuff() </script>')
# => <script> do_nasty_stuff() </script>
# sanitize_html('<a href="javascript: sucker();">Click here for $100</a>')
# => <a>Click here for $100</a>
So is this a bug against the planet pkg or filed against fedora infrastructure's planet instance?
I see where venus has the ability to pass it through the better filter but appears to not be doing that. I'll work on getting venus patched, too. thanks Debian has bug for planet-venus too, if that is the venus used on planet.fp.o: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546179 okay - I've applied the fix to the pkg for planet.fedoraproject.org and I've rebuilt all the planet pkgs in el5, rawhide, f10 and f11 I'll be pushing out the update info to bodhi for this security issue after lunch thanks planet-2.0-10.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/planet-2.0-10.fc11 planet-2.0-10.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/planet-2.0-10.fc10 planet-2.0-11.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/planet-2.0-11.el5 planet-2.0-10.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. planet-2.0-10.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 525772 has been marked as a duplicate of this bug. *** planet-2.0-11.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |