[#647] Fix XSS in textile image syntax.

Image URLs are not properly escaped in the bundled RedCloth3 library. It thus allowed an XSS vector. The patch was adapted from r7570 from Redmine by Etiene Massip. See also http://www.redmine.org/issues/9245.
2011-10-08 17:53:05 +02:00 · 2011-10-08 17:53:05 +02:00 · cb2086f652
parent 21a45b4e52
commit cb2086f652
2 changed files with 9 additions and 1 deletions
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@ -939,7 +939,7 @@ class RedCloth3 < String
            stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
            htmlesc title
            atts = pba( atts )
-            atts = " src=\"#{ url }\"#{ atts }"
+            atts = " src=\"#{ htmlesc url.dup }\"#{ atts }"
            atts << " title=\"#{ title }\"" if title
            atts << " alt=\"#{ title }\"" 
            # size = @getimagesize($url);
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@ -194,6 +194,14 @@ EXPECTED
    assert_equal '<p>[msg1][msg2]</p>', to_html('[msg1][msg2]')
  end

+  def test_textile_should_escape_image_urls
+    # this is onclick="alert('XSS');" in encoded form
+    raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
+    expected = '<p><img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" /></p>'
+
+    assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '')
+  end
+
  private

  def assert_html_output(to_test, expect_paragraph = true)