Quoting Debian bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178 The planet feed aggregator attempts to remove malicious content from user-submitted feeds. It does a great job, but fails to sanitize this input: <img src="javascript:alert(1);" > At least Opera will execute this code.
Patch proposed in the Debian bug report: --- planet-2.0.orig/planet/sanitize.py +++ planet-2.0/planet/sanitize.py @@ -70,6 +70,12 @@ # utility method to be called by descendants attrs = [(k.lower(), v) for k, v in attrs] attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in attrs] + + for i in xrange (len (attrs)): + k,v = attrs[i] + if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" ) <> -1 ): + del attrs[i] + return attrs def unknown_starttag(self, tag, attrs):
people who leave js on deserve what they get. I'll add the patch to our planet package build
Quick question - this is just against planetplanet software. planet.fedoraproject.org is running venus not planet. I read through venus to see where it sanitizes inputs it specifically has: # Sanitize the +html+, escaping all elements not in ALLOWED_ELEMENTS, and # stripping out all # attributes not in ALLOWED_ATTRIBUTES. Style # attributes are parsed, and a restricted set, # specified by # ALLOWED_CSS_PROPERTIES and ALLOWED_CSS_KEYWORDS, are allowed through. # attributes in ATTR_VAL_IS_URI are scanned, and only URI schemes specified # in ALLOWED_PROTOCOLS are allowed. # # sanitize_html('<script> do_nasty_stuff() </script>') # => <script> do_nasty_stuff() </script> # sanitize_html('<a href="javascript: sucker();">Click here for $100</a>') # => <a>Click here for $100</a> So is this a bug against the planet pkg or filed against fedora infrastructure's planet instance?
I see where venus has the ability to pass it through the better filter but appears to not be doing that. I'll work on getting venus patched, too. thanks
Debian has bug for planet-venus too, if that is the venus used on planet.fp.o: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546179
okay - I've applied the fix to the pkg for planet.fedoraproject.org and I've rebuilt all the planet pkgs in el5, rawhide, f10 and f11 I'll be pushing out the update info to bodhi for this security issue after lunch thanks
planet-2.0-10.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/planet-2.0-10.fc11
planet-2.0-10.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/planet-2.0-10.fc10
planet-2.0-11.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/planet-2.0-11.el5
planet-2.0-10.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
planet-2.0-10.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 525772 has been marked as a duplicate of this bug. ***
planet-2.0-11.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.