-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requesting more details on GHSA-fqx8-v33p-4qcc (CVE-2022-23638) #71
Comments
@ohader you're correct. The concern here was that any of the following tags will cause the HTML parser to break out of foreign content and back into HTML.
As per: https://html.spec.whatwg.org/multipage/parsing.html#parsing-main-inforeign Specifically this line was causing me issues: <p/><![CDATA[ ><img src onerror=alert(1)> ]]> DOMDocument was picking the img tag up as a DOMComment node with the following content, which led me to remove comments and CDATA so that this got stripped. ><img src onerror=alert(1)> I'm happy to consider adding CDATA back in, but we need to be sure that there's no easy bypass. Maybe we should consider extending the tests in this area. |
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516 Tested-by: core-ci <[email protected]> Tested-by: Oliver Hader <[email protected]> Reviewed-by: Oliver Hader <[email protected]>
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73628 Tested-by: core-ci <[email protected]> Tested-by: Oliver Hader <[email protected]> Reviewed-by: Oliver Hader <[email protected]>
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73627 Tested-by: core-ci <[email protected]> Tested-by: Oliver Hader <[email protected]> Reviewed-by: Oliver Hader <[email protected]>
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73516 Tested-by: core-ci <[email protected]> Tested-by: Oliver Hader <[email protected]> Reviewed-by: Oliver Hader <[email protected]>
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73628 Tested-by: core-ci <[email protected]> Tested-by: Oliver Hader <[email protected]> Reviewed-by: Oliver Hader <[email protected]>
Recent release of enshrined/svg-sanitize addressed a XSS vulnerability. The main purpose of having this library in TYPO3 is to protect against user submitted images that contains markup - which is possible with SVG files. In most TYPO3 scenarios these files would be stored in https://example.org/fileadmin/evil.svg and can be fetched directly. However, recent update for CVE-2022-23638 of the svg-sanitizer library seems to address the usage of inline SVG, used in an embedded HTML context, see darylldoyle/svg-sanitizer#71 Resolves: #96901 Releases: main, 11.5, 10.4 Change-Id: Iacbaf4b9c9725dee9c12df3646fc1131b7ed93ed Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/73627 Tested-by: core-ci <[email protected]> Tested-by: Oliver Hader <[email protected]> Reviewed-by: Oliver Hader <[email protected]>
It seems tag
0.15.0
addressed a security vulnerability, see corresponding advisory GHSA-fqx8-v33p-4qcc (CVE-2022-23638)Corresponding commit at 17e12ba contains a new test case
tests/data/htmlTest.svg
.Invoked as
svg.svg
in browser, mime-typeimage/svg+xml
→ no problem since
<img>
is not a SVG element-> not a vulnerability
Invoked as
svg.html
in browser, mime-typetext/htm
→ valid concern, since HTML is used in inline SVG
→ scripts are executed in browser
→ cross-site scripting vulnerability
Conclusion & Post-review
<img>
) seems to be fine, see https://developer.mozilla.org/en-US/docs/Web/SVG/Element#cdata
and#comment
nodes seems to be superfluous and leads to regressions like in CDATA section is removed #70Request
The text was updated successfully, but these errors were encountered: