Page MenuHomePhabricator
Create Task
Maniphest T62771

SVG iframe XSS
Closed, ResolvedPublic
Actions

Description

Mario Gomes reported to mozilla an svg xss:

https://bugzilla.mozilla.org/show_bug.cgi?id=966734

This is triggered using an iframe with a srcdoc and xhtml namespace.

We can easily forbid svg files with iframes. I can't tell if it's an oversight that we allow those, or if we made the decision to allow them for some reason. I'll pull down some of the more recent svg uploads and see if embedded iframes are common.

Version: unspecified
Severity: normal

Details

Reference
bz60771

Related Objects

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 3:06 AM
bzimport added a project: MediaWiki-Uploading.
bzimport set Reference to bz60771.
csteipp created this task.Feb 3 2014, 5:43 PM
csteipp added a comment.Feb 3 2014, 5:47 PM

Adding some multimedia people in case they have input on allowing iframes in svg files. Any of you see a reason we shouldn't forbid them?

csteipp added a comment.Feb 3 2014, 5:48 PM

Created attachment 14453
PoC from Mario

Attached:

Mozilla-svg-xmns-xss.svg712 BDownload

brion added a comment.Feb 3 2014, 6:38 PM

There should be no legit reason to put an HTML iframe inside an SVG graphic, IMO... should be just fine to filter and forbid those...

Bawolff added a comment.Feb 3 2014, 8:50 PM

(In reply to comment #3)

There should be no legit reason to put an HTML iframe inside an SVG graphic,
IMO... should be just fine to filter and forbid those...

I agree.

csteipp added a comment.Feb 4 2014, 12:56 AM

Created attachment 14470
Whitelist namespaces

This limits the xml namespaces that can be used within svg files. I'm still downloading a new corpus of recent uploads, but so far, only about 5 legitimate images on commons use the http://www.w3.org/1999/xhtml namespace. Everything else that I've found are on the whitelist that I put into this patch.

In the event that iframes ever make it into one of the namespace that we do allow, I forbid them also.

attachment bug60771.patch ignored as obsolete

csteipp added a comment.Feb 4 2014, 10:18 PM

Created attachment 14489
Whitelist namespaces

Found one more namespace in testing. Tested it against 25k images off commons, and only images that try to use http://www.w3.org/1999/xhtml would be rejected at this point.

attachment bug60771.patch ignored as obsolete

csteipp added a comment.Feb 6 2014, 1:26 AM

Created attachment 14501
Whitelist namespaces

Tim pointed out that we will want users to know which namespace failed so we can add harmless ones.

attachment bug60771c.patch ignored as obsolete

csteipp added a comment.Feb 12 2014, 7:29 PM

Created attachment 14576
Whitelist namespaces

Update from Aaron's feedback:

  • Updated comments on splitXmlNamespace
  • Made list of namespaces static

Also made splitXmlNamespace private.

Attached:

bug60771d.patch6 KBDownload

aaron added a comment.Feb 12 2014, 7:36 PM

Looks OK to me.

Dzahn added a comment.Feb 12 2014, 8:47 PM

fwiw, reading this i'm glad that the switch from old to new planet software "broke" embedded iframes in RSS feeds that we aggregate from third parties and then display as our feed :)

csteipp added a comment.Feb 12 2014, 9:22 PM

Deployed to the cluster

21:00 logmsgbot: csteipp finished scap: bug 60771 (duration: 36m 58s)

csteipp added a comment.Feb 12 2014, 9:26 PM
  • Bug 61278 has been marked as a duplicate of this bug. ***
Bawolff added a comment.Feb 28 2014, 3:22 AM

For reference, commit id 7d923a6b53f7fbcb0cbc3a19797d741bf6f440eb

csteipp added a comment.Mar 3 2014, 7:05 PM

The whitelisting was assigned CVE-2014-2242. http://www.openwall.com/lists/oss-security/2014/03/01/2

Gilles added a project: Multimedia.Dec 4 2014, 9:35 AM
Gilles raised the priority of this task from High to Unbreak Now!.Dec 4 2014, 10:11 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.
Gilles lowered the priority of this task from Unbreak Now! to High.Dec 4 2014, 11:20 AM
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
mgebert mentioned this in T138783: SVG Upload should (optionally) allow the xhtml namespace.Jun 27 2016, 8:15 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Umherirrender mentioned this in T278044: This SVG file contains an illegal namespace "http://www.w3.org/2000/02/svg/testsuite/description/"..Mar 21 2021, 8:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL