From cb2086f652eb9e3d5850612d62e60874212574ee Mon Sep 17 00:00:00 2001 From: Holger Just Date: Sat, 8 Oct 2011 17:53:05 +0200 Subject: [PATCH] [#647] Fix XSS in textile image syntax. Image URLs are not properly escaped in the bundled RedCloth3 library. It thus allowed an XSS vector. The patch was adapted from r7570 from Redmine by Etiene Massip. See also http://www.redmine.org/issues/9245. --- lib/redcloth3.rb | 2 +- .../lib/redmine/wiki_formatting/textile_formatter_test.rb | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/redcloth3.rb b/lib/redcloth3.rb index 8148ddee..de04f02f 100644 --- a/lib/redcloth3.rb +++ b/lib/redcloth3.rb @@ -939,7 +939,7 @@ class RedCloth3 < String stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8] htmlesc title atts = pba( atts ) - atts = " src=\"#{ url }\"#{ atts }" + atts = " src=\"#{ htmlesc url.dup }\"#{ atts }" atts << " title=\"#{ title }\"" if title atts << " alt=\"#{ title }\"" # size = @getimagesize($url); diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb index a5ea0936..9ba76474 100644 --- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb +++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb @@ -194,6 +194,14 @@ EXPECTED assert_equal '

[msg1][msg2]

', to_html('[msg1][msg2]') end + def test_textile_should_escape_image_urls + # this is onclick="alert('XSS');" in encoded form + raw = '!/images/comment.png"onclick=alert('XSS');"!' + expected = '

' + + assert_equal expected.gsub(%r{\s+}, ''), to_html(raw).gsub(%r{\s+}, '') + end + private def assert_html_output(to_test, expect_paragraph = true)