implemented html sanitisation
parent
5e1db8afa9
commit
d7aecf6ddc
|
@ -18,6 +18,40 @@ sub linkify ($$) { #{{{
|
|||
return $content;
|
||||
} #}}}
|
||||
|
||||
my $_scrubber;
|
||||
sub scrubber { #{{{
|
||||
return $_scrubber if defined $_scrubber;
|
||||
|
||||
eval q{use HTML::Scrubber};
|
||||
# Lists based on http://feedparser.org/docs/html-sanitization.html
|
||||
$_scrubber = HTML::Scrubber->new(
|
||||
allow => [qw{
|
||||
a abbr acronym address area b big blockquote br
|
||||
button caption center cite code col colgroup dd del
|
||||
dfn dir div dl dt em fieldset font form h1 h2 h3 h4
|
||||
h5 h6 hr i img input ins kbd label legend li map
|
||||
menu ol optgroup option p pre q s samp select small
|
||||
span strike strong sub sup table tbody td textarea
|
||||
tfoot th thead tr tt u ul var
|
||||
}],
|
||||
default => [undef, { map { $_ => 1 } qw{
|
||||
abbr accept accept-charset accesskey action
|
||||
align alt axis border cellpadding cellspacing
|
||||
char charoff charset checked cite class
|
||||
clear cols colspan color compact coords
|
||||
datetime dir disabled enctype for frame
|
||||
headers height href hreflang hspace id ismap
|
||||
label lang longdesc maxlength media method
|
||||
multiple name nohref noshade nowrap prompt
|
||||
readonly rel rev rows rowspan rules scope
|
||||
selected shape size span src start summary
|
||||
tabindex target title type usemap valign
|
||||
value vspace width
|
||||
}}],
|
||||
);
|
||||
return $_scrubber;
|
||||
} # }}}
|
||||
|
||||
sub htmlize ($$) { #{{{
|
||||
my $type=shift;
|
||||
my $content=shift;
|
||||
|
@ -30,11 +64,17 @@ sub htmlize ($$) { #{{{
|
|||
}
|
||||
|
||||
if ($type eq '.mdwn') {
|
||||
return Markdown::Markdown($content);
|
||||
$content=Markdown::Markdown($content);
|
||||
}
|
||||
else {
|
||||
error("htmlization of $type not supported");
|
||||
}
|
||||
|
||||
if ($config{sanitize}) {
|
||||
$content=scrubber()->scrub($content);
|
||||
}
|
||||
|
||||
return $content;
|
||||
} #}}}
|
||||
|
||||
sub backlinks ($) { #{{{
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
Source: ikiwiki
|
||||
Section: web
|
||||
Priority: optional
|
||||
Build-Depends: debhelper (>= 5), dpkg-dev (>= 1.9.0), markdown, libhtml-template-perl
|
||||
Build-Depends: debhelper (>= 5), dpkg-dev (>= 1.9.0), markdown, libhtml-template-perl, libhtml-scrubber-perl
|
||||
Maintainer: Joey Hess <joeyh@debian.org>
|
||||
Standards-Version: 3.6.2
|
||||
|
||||
Package: ikiwiki
|
||||
Architecture: all
|
||||
Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler
|
||||
Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libhtml-scrubber-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler
|
||||
Recommends: subversion, hyperestraier
|
||||
Suggests: viewcvs
|
||||
Description: a wiki compiler
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
When run with the --sanitize switch, which is turned on by default (see
|
||||
[[usage]], ikiwiki sanitizes the html on pages it renders to avoid XSS
|
||||
attacks and the like.
|
||||
|
||||
ikiwiki excludes all html tags and attributes except for those that are
|
||||
whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
|
||||
Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
|
||||
Notably it strips `style`, `link`, and the `style` attribute.
|
||||
|
||||
ikiwiki uses the HTML::Scrubber perl module to perform its html
|
||||
sanitisation, and this perl module also deals with various entity encoding
|
||||
tricks.
|
||||
|
||||
While I beleive that this makes ikiwiki as resistant to malicious html
|
||||
content as anything else on the web, I cannot guarantee that it will
|
||||
actually protect every user of every browser from every browser security
|
||||
hole, badly designed feature, etc. I can provide NO WARRANTY, like it says
|
||||
in ikiwiki's [[GPL]] license.
|
||||
|
||||
The web's security model is *fundamntally broken*; ikiwiki's HTML
|
||||
sanitisation is only a patch on the underlying gaping hole that is your web
|
||||
browser.
|
||||
|
||||
----
|
||||
|
||||
Some examples of embedded javascript that won't be let through.
|
||||
|
||||
<span style="background: url(javascript:window.location='http://example.org/')">test</span>
|
||||
<span style="any: expression(window.location='http://example.org/')">test</span>
|
||||
<span style="any: expression(window.location='http://example.org/')">test</span>
|
|
@ -50,4 +50,6 @@ use IkiWiki::Setup::Standard {
|
|||
rss => 1,
|
||||
# Use the Hyper Estraier search engine?
|
||||
#hyperestraier => 1,
|
||||
# Sanitize html?
|
||||
sanitize => 1,
|
||||
}
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
ikiwiki's main outstanding security hole, lack of [[HtmlSanitization]] has
|
||||
now been addressed. ikiwiki now sanitizes html by default.
|
||||
|
||||
If only trusted parties can edit your wiki's content, then you might want
|
||||
to turn this sanitization back off to allow use of potentially dangerous
|
||||
tags. To do so, pass --no-sanitize or set "sanitize => 0," in your
|
||||
[[ikiwiki.setup]].
|
|
@ -8,21 +8,18 @@ to be kept in mind.
|
|||
|
||||
# Probable holes
|
||||
|
||||
## html attacks
|
||||
## XSS holes in CGI output
|
||||
|
||||
ikiwiki does not attempt to do any santization of the html on the wiki.
|
||||
[[MarkDown]] allows embedding of arbitrary html into a markdown document. If
|
||||
you let anyone else edit files on the wiki, then anyone can have fun exploiting
|
||||
the web browser bug of the day. This type of attack is typically referred
|
||||
to as an XSS attack ([google](http://www.google.com/search?q=xss+attack)).
|
||||
ikiwiki has not yet been audited to ensure that all cgi script output is
|
||||
sanitised to prevent XSS attacks.
|
||||
|
||||
## image files etc attacks
|
||||
|
||||
If it enounters a file type it does not understand, ikiwiki just copies it
|
||||
into place. So if you let users add any kind of file they like, they can
|
||||
upload images, movies, windows executables, css files, etc. If these files
|
||||
exploit security holes in the browser of someone who's viewing the wiki,
|
||||
that can be a security problem.
|
||||
upload images, movies, windows executables, css files, etc (though not html
|
||||
files). If these files exploit security holes in the browser of someone
|
||||
who's viewing the wiki, that can be a security problem.
|
||||
|
||||
Of course nobody else seems to worry about this in other wikis, so should we?
|
||||
|
||||
|
@ -193,3 +190,7 @@ would still be possible to use this attack to confuse ikiwiki into
|
|||
rendering the wrong thing. This is not currently possible, but must be kept
|
||||
in mind in the future when for example adding support for generating html
|
||||
pages from source with some other extension.
|
||||
|
||||
## XSS attacks in page content
|
||||
|
||||
ikiwiki supports [[HtmlSanitistion]], though it can be turned off.
|
||||
|
|
|
@ -9,7 +9,7 @@ optional support for commits from the web.
|
|||
Ikiwiki requires [[MarkDown]] be installed, and also uses the following
|
||||
perl modules: `CGI::Session` `CGI::FormBuilder` (version 3.02.02 or
|
||||
newer) `HTML::Template` `Mail::SendMail` `Time::Duration` `Date::Parse`
|
||||
(libtimedate-perl)
|
||||
(libtimedate-perl), `HTML::Scrubber`
|
||||
|
||||
2. Create the subversion repository for your wiki.
|
||||
|
||||
|
|
|
@ -167,6 +167,11 @@ These options configure the wiki.
|
|||
Currently allows locking of any page, other powers may be added later.
|
||||
May be specified multiple times for multiple admins.
|
||||
|
||||
* --sanitize
|
||||
|
||||
Enable [[HtmlSanitization]] of wiki content. On by default, disable with
|
||||
--no-sanitize.
|
||||
|
||||
* --hyperestraier
|
||||
|
||||
Enables use of the [[HyperEstraier]] search engine for full test page
|
||||
|
|
2
ikiwiki
2
ikiwiki
|
@ -34,6 +34,7 @@ sub getconfig () { #{{{
|
|||
diffurl => '',
|
||||
anonok => 0,
|
||||
rss => 0,
|
||||
sanitize => 1,
|
||||
rebuild => 0,
|
||||
refresh => 0,
|
||||
getctime => 0,
|
||||
|
@ -66,6 +67,7 @@ sub getconfig () { #{{{
|
|||
"rss!" => \$config{rss},
|
||||
"cgi!" => \$config{cgi},
|
||||
"notify!" => \$config{notify},
|
||||
"sanitize!" => \$config{sanitize},
|
||||
"url=s" => \$config{url},
|
||||
"cgiurl=s" => \$config{cgiurl},
|
||||
"historyurl=s" => \$config{historyurl},
|
||||
|
|
Loading…
Reference in New Issue