Bug 522802 (CVE-2009-2937) - CVE-2009-2937 planet: Insufficient escaping of input feeds
Summary: CVE-2009-2937 planet: Insufficient escaping of input feeds
Keywords:
Status: NEW
Alias: CVE-2009-2937
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-11 14:29 UTC by Tomas Hoger
Modified: 2014-01-21 23:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Debian BTS 546178 None None None Never
Debian BTS 546179 None None None Never

Description Tomas Hoger 2009-09-11 14:29:22 UTC
Quoting Debian bug report:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178

  The planet feed aggregator attempts to remove malicious content from
  user-submitted feeds.  It does a great job, but fails to sanitize
  this input:

    <img src="javascript:alert(1);" >

  At least Opera will execute this code.

Comment 1 Tomas Hoger 2009-09-11 14:30:14 UTC
Patch proposed in the Debian bug report:

--- planet-2.0.orig/planet/sanitize.py
+++ planet-2.0/planet/sanitize.py
@@ -70,6 +70,12 @@
         # utility method to be called by descendants
         attrs = [(k.lower(), v) for k, v in attrs]
         attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in attrs]
+
+        for i in xrange (len (attrs)):
+            k,v = attrs[i]
+            if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" ) <> -1 ):
+                del attrs[i]
+
         return attrs

     def unknown_starttag(self, tag, attrs):

Comment 2 seth vidal 2009-09-11 14:55:17 UTC
people who leave js on deserve what they get.

I'll add the patch to our planet package build

Comment 3 seth vidal 2009-09-11 16:32:07 UTC
Quick question - this is just against planetplanet software.

planet.fedoraproject.org is running venus not planet. I read through venus to see where it sanitizes inputs it specifically has:

  # Sanitize the +html+, escaping all elements not in ALLOWED_ELEMENTS, and
    # stripping out all # attributes not in ALLOWED_ATTRIBUTES. Style
    # attributes are parsed, and a restricted set, # specified by
    # ALLOWED_CSS_PROPERTIES and ALLOWED_CSS_KEYWORDS, are allowed through.
    # attributes in ATTR_VAL_IS_URI are scanned, and only URI schemes specified
    # in ALLOWED_PROTOCOLS are allowed.
    #
    #   sanitize_html('<script> do_nasty_stuff() </script>')
    #    => &lt;script> do_nasty_stuff() &lt;/script>
    #   sanitize_html('<a href="javascript: sucker();">Click here for $100</a>')
    #    => <a>Click here for $100</a>


So is this a bug against the planet pkg or filed against fedora infrastructure's planet instance?

Comment 4 seth vidal 2009-09-11 16:39:28 UTC
I see where venus has the ability to pass it through the better filter but appears to not be doing that. I'll work on getting venus patched, too.

thanks

Comment 5 Tomas Hoger 2009-09-11 16:48:23 UTC
Debian has bug for planet-venus too, if that is the venus used on planet.fp.o:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546179

Comment 6 seth vidal 2009-09-11 17:46:13 UTC
okay - I've applied the fix to the pkg for planet.fedoraproject.org and I've rebuilt all the planet pkgs in el5, rawhide, f10 and f11

I'll be pushing out the update info to bodhi for this security issue after lunch


thanks

Comment 7 Fedora Update System 2009-09-11 20:24:22 UTC
planet-2.0-10.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/planet-2.0-10.fc11

Comment 8 Fedora Update System 2009-09-11 20:26:02 UTC
planet-2.0-10.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/planet-2.0-10.fc10

Comment 9 Fedora Update System 2009-09-11 20:27:17 UTC
planet-2.0-11.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/planet-2.0-11.el5

Comment 12 Fedora Update System 2009-09-15 07:43:53 UTC
planet-2.0-10.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-09-15 07:48:21 UTC
planet-2.0-10.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 seth vidal 2009-09-25 16:54:28 UTC
*** Bug 525772 has been marked as a duplicate of this bug. ***

Comment 15 Fedora Update System 2009-09-29 22:01:57 UTC
planet-2.0-11.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.