fix protocol checking in sanitization [CVE-2013-1857]

Conflicts: actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb actionpack/test/controller/html-scanner/sanitizer_test.rb

fix protocol checking in sanitization [CVE-2013-1857]
Conflicts: actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb actionpack/test/controller/html-scanner/sanitizer_test.rb
10f0e6fe · Aaron Patterson · f67851a6 · 10f0e6fe · 10f0e6fe
2 changed file
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -62,8 +62,8 @@ class WhiteListSanitizer < Sanitizer

    # A regular expression of the valid characters used to separate protocols like
    # the ':' in 'http://foo.com'
-    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(%|&#37;)3A/
-    
+    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
+
    # Specifies a Set of HTML attributes that can have URIs.
    self.uri_attributes         = Set.new(%w(href src cite action longdesc xlink:href lowsrc))

@@ -166,8 +166,8 @@ def process_attributes_for(node, options)
    end

    def contains_bad_protocols?(attr_name, value)
-      uri_attributes.include?(attr_name) && 
-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
+      uri_attributes.include?(attr_name) &&
+      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
    end
  end
 end
--- a/actionpack/test/controller/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb
@@ -169,6 +169,7 @@ def test_should_block_script_tag
   %(<IMG SRC="jav&#x0A;ascript:alert('XSS');">),
   %(<IMG SRC="jav&#x0D;ascript:alert('XSS');">),
   %(<IMG SRC=" &#14;  javascript:alert('XSS');">),
+   %(<IMG SRC="javascript&#x3a;alert('XSS');">),
   %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
    define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
      assert_sanitized img_hack, "<img>"
@@ -270,6 +271,19 @@ def test_should_not_mangle_urls_with_ampersand
     assert_sanitized %{<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>}
  end

+  def test_should_sanitize_neverending_attribute
+    assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
+  end
+
+  def test_x03a
+    assert_sanitized %(<a href="javascript&#x3a;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="javascript&#x003a;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="http&#x3a;//legit">), %(<a href="http://legit">)
+    assert_sanitized %(<a href="javascript&#x3A;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="javascript&#x003A;alert('XSS');">), "<a>"
+    assert_sanitized %(<a href="http&#x3A;//legit">), %(<a href="http://legit">)
+  end
+
 protected
  def assert_sanitized(input, expected = nil)
    @sanitizer ||= HTML::WhiteListSanitizer.new