0ct0pu5/wesnoth
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wam: Fix HTML injection attack on the add-ons.wesnoth.org web interface

Browse source 
This escapes all strings provided by add-ons server data to guarantee
they can't be used to get extraneous and potentially harmful HTML into
the generated web index.

However, and because I don't have time to look into the dense regex
contained in the relevant code right now, it also removes the hidden
feature of linkifying any URLs found in add-on descriptions. It's a
small price to pay for our safety, really.
This commit is contained in:
Ignacio R. Morelle 2017-07-24 02:46:39 -04:00
parent 2d5cb4c9ed
commit 56990b17d9
2 changed files with 16 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
changelog
View file

@ -1,4 +1,7 @@
Version 1.13.8+dev:
* Add-ons client:
* Fix HTML injection exploit in the wesnoth_addon_manager web index
generation functionality.
* Campaigns:
* Heir to the Throne:
* Fixed thieves in 'Siege of Elensefar' getting duplicated.

26
data/tools/addon_manager/html.py
View file

@ -1,7 +1,10 @@
# encoding: utf-8
import time, os, glob, sys, re
import cgi, time, os, glob, sys, re
from subprocess import Popen
def htmlescape(str):
return cgi.escape(str)
def output(path, url, data):
try: os.mkdir(path)
except OSError: pass
@ -72,7 +75,7 @@ Select the add-on you want to install from the list and click "OK". The download
translations = campaign.get_all(tag = "translation")
languages = [x.get_text_val("language") for x in translations]
w("<tr>")
icon = v("icon", "")
icon = htmlescape(v("icon", ""))
imgurl = ""
if icon:
icon = icon.strip()
@ -97,9 +100,9 @@ Select the add-on you want to install from the list and click "OK". The download
imgurl = "icons/missing-image.png"
images_to_tc.append( (src, path + "/" + imgurl) )
type = v("type", "none")
type = htmlescape(v("type", "none"))
size = float(v("size", "0"))
name = v("title", "unknown")
name = htmlescape(v("title", "unknown"))
if type == "scenario":
w("""\
<td>Scenario<div class="type"><b>single player scenario</b><br/>
@ -143,30 +146,27 @@ Unit packs, terrain packs, music packs, etc. Usually a (perhaps optional) depend
else: w(('<td>%s</td>') % type)
w(('<td><img alt="%s" src="%s" width="72px" height="72px"/>'
) % (icon, imgurl))
described = v("description", "(no description)")
if described != "(no description)":
described = re.sub(r'(?<![">])http://([\w/=%~-]|[.?&]\w)+', r'<a href="\g<0>">\g<0></a>', described)
described = re.sub(r'(?<![\w>"/])(forums?|r|R|wiki)\.wesnoth\.org([\w/=%~-]|[.?&]\w)*', r'<a href="http://\g<0>">\g<0></a>', described)
described = htmlescape(v("description", "(no description)"))
w('<div class="desc"><b>%s</b><pre>%s</pre></div></td>' % (
name, described))
w("<td><b>%s</b><br/>" % name)
w("Version: %s<br/>" % v("version", "unknown"))
w("Author: %s</td>" % v("author", "unknown"))
w("Version: %s<br/>" % htmlescape(v("version", "unknown")))
w("Author: %s</td>" % htmlescape(v("author", "unknown")))
MiB = 1024 * 1024
w("<td><span class=\"hidden\">%d</span><b>%.2f</b>MiB" % (size, size / MiB))
if url:
link = url.rstrip("/") + "/" + v("name") + ".tar.bz2"
link = url.rstrip("/") + "/" + htmlescape(v("name")) + ".tar.bz2"
w("<br/><a href=\"%s\">download</a></td>" % link)
else:
w("</td>")
downloads = int(v("downloads", "0"))
w("<td><b>%d</b> down<br/>" % (downloads))
w("%s up</td>" % v("uploads", "unknown"))
w("%s up</td>" % htmlescape(v("uploads", "unknown")))
timestamp = int(v("timestamp", "0"))
t = time.localtime(timestamp)
w("<td><span class=\"hidden\">%d</span>%s</td>" % (timestamp,
time.strftime("%b %d %Y", t)))
w("<td>%s</td>" % (", ".join(languages)))
w("<td>%s</td>" % (htmlescape(", ".join(languages))))
w("</tr>")
w("</tbody>")
w("</table>")