Bug 522802 (CVE-2009-2937)

Summary: CVE-2009-2937 planet: Insufficient escaping of input feeds
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: eteo, jlieskov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:03:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tomas Hoger 2009-09-11 14:29:22 UTC
Quoting Debian bug report:

  The planet feed aggregator attempts to remove malicious content from
  user-submitted feeds.  It does a great job, but fails to sanitize
  this input:

    <img src="javascript:alert(1);" >

  At least Opera will execute this code.

Comment 1 Tomas Hoger 2009-09-11 14:30:14 UTC
Patch proposed in the Debian bug report:

--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
         # utility method to be called by descendants
         attrs = [(k.lower(), v) for k, v in attrs]
         attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in attrs]
+        for i in xrange (len (attrs)):
+            k,v = attrs[i]
+            if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" ) <> -1 ):
+                del attrs[i]
         return attrs

     def unknown_starttag(self, tag, attrs):

Comment 2 seth vidal 2009-09-11 14:55:17 UTC
people who leave js on deserve what they get.

I'll add the patch to our planet package build

Comment 3 seth vidal 2009-09-11 16:32:07 UTC
Quick question - this is just against planetplanet software.

planet.fedoraproject.org is running venus not planet. I read through venus to see where it sanitizes inputs it specifically has:

  # Sanitize the +html+, escaping all elements not in ALLOWED_ELEMENTS, and
    # stripping out all # attributes not in ALLOWED_ATTRIBUTES. Style
    # attributes are parsed, and a restricted set, # specified by
    # attributes in ATTR_VAL_IS_URI are scanned, and only URI schemes specified
    # in ALLOWED_PROTOCOLS are allowed.
    #   sanitize_html('<script> do_nasty_stuff() </script>')
    #    => &lt;script> do_nasty_stuff() &lt;/script>
    #   sanitize_html('<a href="javascript: sucker();">Click here for $100</a>')
    #    => <a>Click here for $100</a>

So is this a bug against the planet pkg or filed against fedora infrastructure's planet instance?

Comment 4 seth vidal 2009-09-11 16:39:28 UTC
I see where venus has the ability to pass it through the better filter but appears to not be doing that. I'll work on getting venus patched, too.


Comment 5 Tomas Hoger 2009-09-11 16:48:23 UTC
Debian has bug for planet-venus too, if that is the venus used on planet.fp.o:

Comment 6 seth vidal 2009-09-11 17:46:13 UTC
okay - I've applied the fix to the pkg for planet.fedoraproject.org and I've rebuilt all the planet pkgs in el5, rawhide, f10 and f11

I'll be pushing out the update info to bodhi for this security issue after lunch


Comment 7 Fedora Update System 2009-09-11 20:24:22 UTC
planet-2.0-10.fc11 has been submitted as an update for Fedora 11.

Comment 8 Fedora Update System 2009-09-11 20:26:02 UTC
planet-2.0-10.fc10 has been submitted as an update for Fedora 10.

Comment 9 Fedora Update System 2009-09-11 20:27:17 UTC
planet-2.0-11.el5 has been submitted as an update for Fedora EPEL 5.

Comment 12 Fedora Update System 2009-09-15 07:43:53 UTC
planet-2.0-10.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-09-15 07:48:21 UTC
planet-2.0-10.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 seth vidal 2009-09-25 16:54:28 UTC
*** Bug 525772 has been marked as a duplicate of this bug. ***

Comment 15 Fedora Update System 2009-09-29 22:01:57 UTC
planet-2.0-11.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.