Skip Menu |

This queue is for tickets about the Catalyst-Action-REST CPAN distribution.

Report information
The Basics
Id: 63537
Status: resolved
Priority: 0/
Queue: Catalyst-Action-REST
People
Owner: bobtfish [...] bobtfish.net
Requestors: gerv-cpan [...] gerv.net
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 0.87
Fixed in: (no value)

History Show all quoted text
  Thu Dec 02 06:24:20 2010 http://www.gerv.net/ - Ticket created
Subject: YAML::HTML serializer does not HTML escape data
HTML data in values is not escaped when printing using the YAML::HTML serializer. If the data is untrusted, this leads to people being able to run HTML and script in the context of your domain, which has many bad consequences (e.g. cookie stealing). See: https://bugzilla.mozilla.org/show_bug.cgi?id=615789 and compare: https://api-dev.bugzilla.mozilla.org/test/latest/bug/9947 with https://landfill.bugzilla.org/bzapi_sandbox/show_bug.cgi?id=9947 Suggested solution: use a regexp to transform < and & to &lt; and &amp;. I think that makes it safe. Or I think HTML::Entities::encode($text); might do what you want. Gerv
  Thu Dec 02 06:29:13 2010 http://www.gerv.net/ - Correspondence added
Yes, I can confirm that HTML::Entities::encode($foo) does the trick. It's a one-line change in Catalyst::Action::Serialize::YAML::HTML. my $text = Dump($c->stash->{$stash_key}); -> my $text = HTML::Entities::encode(Dump($c->stash->{$stash_key})); Gerv
  Thu Dec 02 06:29:14 2010 The RT System itself - Status changed from 'new' to 'open'
  Wed Sep 28 08:09:57 2011 http://colinnewell.wordpress.com/ - Correspondence added
From: Colin
On Thu Dec 02 06:29:13 2010, http://www.gerv.net/ wrote: Show quoted text
> Yes, I can confirm that HTML::Entities::encode($foo) does the trick. > It's a one-line change in Catalyst::Action::Serialize::YAML::HTML. > > my $text = Dump($c->stash->{$stash_key}); > -> > my $text = HTML::Entities::encode(Dump($c->stash->{$stash_key})); > > Gerv
I've turned your comment into a patch (with test).
Subject: RT63537.patch
From 43e118aaa58ee8e27c07c5a77ac6e32f8f9004ab Mon Sep 17 00:00:00 2001 From: Colin Newell <colin@opusvl.com> Date: Wed, 28 Sep 2011 12:25:32 +0100 Subject: [PATCH] Added fix for RT 63537 --- Changes | 2 ++ Makefile.PL | 1 + README | 4 ++++ lib/Catalyst/Action/REST.pm | 4 ++++ lib/Catalyst/Action/Serialize/YAML/HTML.pm | 2 +- t/lib/Test/Serialize/Controller/REST.pm | 6 ++++++ t/yaml-html.t | 8 ++++++++ 7 files changed, 26 insertions(+), 1 deletions(-) diff --git a/Changes b/Changes index a23ab5f..5c4b05d 100644 --- a/Changes +++ b/Changes @@ -1,3 +1,5 @@ + Added fix for RT 63537 (from Gerv) and tests to check it. + Thu 04 Aug 2011 14:37:21 CEST - Release 0.91 For the deserialization action class, make the HTTP methods it operates on configurable on a per-action level (plu, rafl). diff --git a/Makefile.PL b/Makefile.PL index 8b0ce01..317c0be 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -14,6 +14,7 @@ requires 'namespace::autoclean'; requires('Catalyst::Runtime' => '5.80030'); requires('Params::Validate' => '0.76'); requires('YAML::Syck' => '0.67'); +requires('HTML::Parser' => undef); requires('Module::Pluggable::Object' => undef); requires('LWP::UserAgent' => '2.033'); requires('Data::Serializer' => '0.36'); diff --git a/README b/README index 7e94bd3..07de9d8 100644 --- a/README +++ b/README @@ -100,6 +100,10 @@ CONTRIBUTORS J. Shirley <jshirley@gmail.com> + Gerv http://www.gerv.net/ + + Colin Newell <colin@opusvl.com> + COPYRIGHT Copyright (c) 2006-2011 the above named AUTHOR and CONTRIBUTORS diff --git a/lib/Catalyst/Action/REST.pm b/lib/Catalyst/Action/REST.pm index 110c61d..2ae56f7 100644 --- a/lib/Catalyst/Action/REST.pm +++ b/lib/Catalyst/Action/REST.pm @@ -222,6 +222,10 @@ Arthur Axel "fREW" Schmidt E<lt>frioux@gmail.comE<gt> J. Shirley E<lt>jshirley@gmail.comE<gt> +Gerv http://www.gerv.net/ + +Colin Newell <colin@opusvl.com> + =head1 COPYRIGHT Copyright (c) 2006-2011 the above named AUTHOR and CONTRIBUTORS diff --git a/lib/Catalyst/Action/Serialize/YAML/HTML.pm b/lib/Catalyst/Action/Serialize/YAML/HTML.pm index 75d4dfa..6cb7751 100644 --- a/lib/Catalyst/Action/Serialize/YAML/HTML.pm +++ b/lib/Catalyst/Action/Serialize/YAML/HTML.pm @@ -23,7 +23,7 @@ sub execute { my $output = "<html>"; $output .= "<title>" . $app . "</title>"; $output .= "<body><pre>"; - my $text = Dump($c->stash->{$stash_key}); + my $text = HTML::Entities::encode(Dump($c->stash->{$stash_key})); # Straight from URI::Find my $finder = URI::Find->new( sub { diff --git a/t/lib/Test/Serialize/Controller/REST.pm b/t/lib/Test/Serialize/Controller/REST.pm index 5b7c4ec..768382e 100644 --- a/t/lib/Test/Serialize/Controller/REST.pm +++ b/t/lib/Test/Serialize/Controller/REST.pm @@ -49,4 +49,10 @@ sub monkey_get : Local : ActionClass('Serialize') { $c->stash->{'rest'} = { monkey => 'likes chicken!', }; } +sub xss_get : Local : ActionClass('Serialize') { + my ( $self, $c ) = @_; + $c->stash->{'rest'} = { monkey => 'likes chicken > sushi!', }; +} + + 1; diff --git a/t/yaml-html.t b/t/yaml-html.t index a77f085..bf9bf10 100644 --- a/t/yaml-html.t +++ b/t/yaml-html.t @@ -28,6 +28,14 @@ SKIP: { request( $t->post( url => '/monkey_put', data => Dump($post_data) ) ); ok( $mres_post->is_error, "POST to the monkey failed; no deserializer." ); + # xss test - RT 63537 + my $xss_template = +"<html><title>Test::Serialize</title><body><pre>--- \nmonkey: likes chicken &gt; sushi!\n</pre></body></html>"; + my $xres = request( $t->get( url => '/xss_get' ) ); + ok( $xres->is_success, 'GET the xss succeeded' ); + is( $xres->content, $xss_template, "GET returned the right data" ); + + } 1; -- 1.7.2.5
  Mon Jan 30 06:32:50 2012 bobtfish [...] bobtfish.net - Taken
  Mon Jan 30 06:33:42 2012 bobtfish [...] bobtfish.net - Correspondence added
Thanks, merged and released!
  Mon Jan 30 06:33:45 2012 bobtfish [...] bobtfish.net - Status changed from 'open' to 'resolved'