Re: Bug#308282: [phpbb2 #308282] upstream patch

To: Alexis Sukrieh <sukria@sukria.net>, 308282@bugs.debian.org
Cc: 308282-submitter@bugs.debian.org, debian-security@lists.debian.org
Subject: Re: Bug#308282: [phpbb2 #308282] upstream patch
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Tue, 10 May 2005 01:03:15 +0200
Message-id: <[🔎] 20050509230315.GW31575@A-Eskwadraat.nl>
In-reply-to: <20050509101106.GA16341@sukria.net>
References: <20050509101106.GA16341@sukria.net>

On Mon, May 09, 2005 at 12:11:06PM +0200, Alexis Sukrieh wrote:
> Find attached a diff made against 2.0.15 and our last sid version.
> 
> | +	$text = preg_replace('#(script|about|applet|activex|chrome):#is', "\\1&#058;", $text);
>
> It looks like this patch can be applied to close the bug.

Ok, based on the patch, whatever is being fixed is definitely suspected
to be a cross-site scripting issue.

It looks like this is about preventing URL's like <img
src="javascript:foo"> to be output. Since browsers are supposed to
parse the html entities before interpreting the resulting URL, this
patch seems wrong to me, it might actually work though if the affected
browsers really do not parse such html entities in advance.

Also, only rewriting specific scheme's would be dangerous as who knows
when a certain browser will actually include yet another such scheme and
start to do funny things with it. A whitelist would also be tricky
though.

I more tend to think it's a browser problem if it allows site-specified
code to be run via <a href=> and <img src=> and such, that is, outside
of <script> context.

Opinions?

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Reply to:

Prev by Date: Security support for testing - what does it mean?
Next by Date: Re: Bug#308282: [phpbb2 #308282] upstream patch
Previous by thread: Security support for testing - what does it mean?
Next by thread: Re: Bug#308282: [phpbb2 #308282] upstream patch
Index(es):
- Date
- Thread