tags 388149 +patch
tags 388149 +pending
thanks
I've looked into the reported vulnerabilities further, and produced the
following patch. The patch does 3 things.
- Firstly it disables the "Trust un-sanitized HTML" option altogether.
- Secondly a nice side effect of the way I did first item results in the
associated
preference in prefs.js being changed to say "don't trust un-sanitized
HTML". This is in
my opinion a good thing since it means that in the future when proper
sanitization of
the HTML is added (and presumably the sensible thing to do would be
that the default
remains to not display HTML at all) those that DID have the vulnerable
versions (and then
this fix) don't suddenly find themselves viewing HTML in the feeds
again. (Even though it
should be being sanitized at this point).
- Thirdly fix for exploit in the HTML removal when not displaying any
HTML at all. This fix is
simple, taking < and > and converting them into HTML entities again,
after it's been
through the "htmlformatconverter".
These three things mean that now sage, with the proposed patch passes
all the tests linked below:
http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/feed.xml
http://izynews.com/en/safe_rss/check.xml
http://www.snellspace.com/public/everything.atom
http://www.snellspace.com/public/everything2.atom
http://www.snellspace.com/public/everything3.atom
http://www.snellspace.com/public/everything4.atom
http://www.snellspace.com/public/everything5.atom
Unless someone has a good reason not to I intend to upload this at
somepoint tomorrow.
Alan
diff -urN
/home/woodalan/work/debian/firefox-sage_1.3.6/temp/chrome/sage.old/content/createhtml.js
./content/createhtml.js
---
/home/woodalan/work/debian/firefox-sage_1.3.6/temp/chrome/sage.old/content/createhtml.js
2006-09-19 18:46:57.000000000 +0100
+++ ./content/createhtml.js 2006-09-19 18:54:41.000000000 +0100
@@ -67,7 +67,12 @@
},
createHTMLSource: function(feed) {
- var allowEContent =
CommonFunc.getPrefValue(CommonFunc.ALLOW_ENCODED_CONTENT, "bool", true);
+// var allowEContent =
CommonFunc.getPrefValue(CommonFunc.ALLOW_ENCODED_CONTENT, "bool", true);
+// PARTIAL FIX FOR VULNERABILITIES:
+// CVE-2006-4711
+// CVE-2006-4712
+// [EMAIL PROTECTED] (19/09/06)
+ var allowEContent = false; //We _NEVER_ allow untrusted HTML to
become trusted!!
var twelveHourClock =
CommonFunc.getPrefValue(CommonFunc.TWELVE_HOUR_CLOCK, "bool", false);
var feedItemOrder =
CommonFunc.getPrefValue(CommonFunc.FEED_ITEM_ORDER, "str", "chrono");
diff -urN
/home/woodalan/work/debian/firefox-sage_1.3.6/temp/chrome/sage.old/content/sage.js
./content/sage.js
---
/home/woodalan/work/debian/firefox-sage_1.3.6/temp/chrome/sage.old/content/sage.js
2006-09-19 18:46:57.000000000 +0100
+++ ./content/sage.js 2006-09-19 18:58:37.000000000 +0100
@@ -430,6 +430,16 @@
rssItemToolTip.description = description;
}
+// PARTIAL FIX FOR VULNERABILITIES:
+// CVE-2006-4711
+// CVE-2006-4712
+// [EMAIL PROTECTED] (19/09/06)
+function sanitizeHtmlToText(aStr) {
+ aStr = aStr.replace(/>/g, ">");
+ aStr = aStr.replace(/</g, "<");
+ return aStr;
+}
+
function htmlToText(aStr) {
var formatConverter =
Components.classes["@mozilla.org/widget/htmlformatconverter;1"].createInstance(Components.interfaces.nsIFormatConverter);
var fromStr =
Components.classes["@mozilla.org/supports-string;1"].createInstance(Components.interfaces.nsISupportsString);
@@ -439,13 +449,13 @@
try {
formatConverter.convert("text/html", fromStr,
fromStr.toString().length, "text/unicode", toStr, {});
} catch(e) {
- return aStr;
+ return sanitizeHtmlToText(aStr);
}
if(toStr.value) {
toStr =
toStr.value.QueryInterface(Components.interfaces.nsISupportsString);
- return toStr.toString();
+ return sanitizeHtmlToText(toStr.toString());
}
- return aStr;
+ return sanitizeHtmlToText(aStr);
}
diff -urN
/home/woodalan/work/debian/firefox-sage_1.3.6/temp/chrome/sage.old/content/settings/settings.js
./content/settings/settings.js
---
/home/woodalan/work/debian/firefox-sage_1.3.6/temp/chrome/sage.old/content/settings/settings.js
2006-09-19 18:46:57.000000000 +0100
+++ ./content/settings/settings.js 2006-09-19 19:01:59.000000000 +0100
@@ -33,8 +33,8 @@
txtUserCssPath = document.getElementById("txtUserCssPath");
txtUserCssPath.value =
CommonFunc.getPrefValue(CommonFunc.USER_CSS_PATH, "wstr", "");
- chkAllowEContent = document.getElementById("chkAllowEContent");
- chkAllowEContent.checked =
CommonFunc.getPrefValue(CommonFunc.ALLOW_ENCODED_CONTENT, "bool", true);
+ chkAllowEContent = document.getElementById("chkAllowEContent");
+// chkAllowEContent.checked =
CommonFunc.getPrefValue(CommonFunc.ALLOW_ENCODED_CONTENT, "bool", true);
chkAutoFeedTitle = document.getElementById("chkAutoFeedTitle");
chkAutoFeedTitle.checked =
CommonFunc.getPrefValue(CommonFunc.AUTO_FEED_TITLE, "bool", true);
diff -urN
/home/woodalan/work/debian/firefox-sage_1.3.6/temp/chrome/sage.old/content/settings/settings.xul
./content/settings/settings.xul
---
/home/woodalan/work/debian/firefox-sage_1.3.6/temp/chrome/sage.old/content/settings/settings.xul
2006-09-19 18:46:57.000000000 +0100
+++ ./content/settings/settings.xul 2006-09-19 18:59:28.000000000 +0100
@@ -66,7 +66,7 @@
<groupbox>
<caption label="&openInContentsArea.caption;"/>
<checkbox id="chkRenderFeeds" label="&settings.renderFeeds.label;"/>
- <checkbox id="chkAllowEContent" label="&allowEContent.label;"/>
+ <checkbox id="chkAllowEContent" label="&allowEContent.label;"
checked="false" disabled="true" />
<vbox flex="1">
<checkbox id="chkUserCssEnable" label="&enableUserCss.label;"
oncommand="setDisabled()"/>
<hbox align="center">
