allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject allura git commit: [#4644] remove all form/input tags from the list of allowed tags
Date Tue, 21 Jun 2016 14:31:49 GMT
Repository: allura
Updated Branches:
  refs/heads/db/4644 [created] 36d402a30


[#4644] remove all form/input tags from the list of allowed tags


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/36d402a3
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/36d402a3
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/36d402a3

Branch: refs/heads/db/4644
Commit: 36d402a3092b2e9999a02ced7f13d47980d607c8
Parents: d5e71e1
Author: Dave Brondsema <dave@brondsema.net>
Authored: Tue Jun 21 10:30:50 2016 -0400
Committer: Dave Brondsema <dave@brondsema.net>
Committed: Tue Jun 21 10:30:50 2016 -0400

----------------------------------------------------------------------
 Allura/allura/lib/app_globals.py  |  2 +-
 Allura/allura/lib/utils.py        | 10 ++++++++++
 Allura/allura/tests/test_utils.py |  4 ++++
 3 files changed, 15 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/36d402a3/Allura/allura/lib/app_globals.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index 7e8e5db..33fa123 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -104,7 +104,7 @@ class ForgeMarkdown(markdown.Markdown):
                 field_name, artifact.__class__.__name__)
             return self.convert(source_text)
 
-        bugfix_rev = 2  # increment this if we need all caches to invalidated (e.g. xss in
markdown rendering fixed)
+        bugfix_rev = 3  # increment this if we need all caches to invalidated (e.g. xss in
markdown rendering fixed)
         md5 = None
         # If a cached version exists and it is valid, return it.
         if cache.md5 is not None:

http://git-wip-us.apache.org/repos/asf/allura/blob/36d402a3/Allura/allura/lib/utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 9afd29f..6d05764 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -549,6 +549,16 @@ def serve_file(fp, filename, content_type, last_modified=None,
 
 
 class ForgeHTMLSanitizer(html5lib.sanitizer.HTMLSanitizer):
+    # remove some elements from the sanitizer whitelist
+    # <form> and <input> could be used for a social engineering attack to construct
a form
+    # others are just unexpected and confusing, and have no need to be used in markdown
+    _form_elements = ('button', 'datalist', 'fieldset', 'form', 'input', 'label', 'legend',
'meter', 'optgroup',
+                      'option', 'output', 'progress', 'select', 'textarea')
+    _forge_acceptable_elements = [e for e in html5lib.sanitizer.HTMLSanitizer.acceptable_elements
+                                  if e not in (_form_elements)]
+    allowed_elements = _forge_acceptable_elements \
+                       + html5lib.sanitizer.HTMLSanitizer.mathml_elements \
+                       + html5lib.sanitizer.HTMLSanitizer.svg_elements
 
     valid_iframe_srcs = ('https://www.youtube.com/embed/', 'https://www.gittip.com/')
 

http://git-wip-us.apache.org/repos/asf/allura/blob/36d402a3/Allura/allura/tests/test_utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_utils.py b/Allura/allura/tests/test_utils.py
index 396acfb..fef8373 100644
--- a/Allura/allura/tests/test_utils.py
+++ b/Allura/allura/tests/test_utils.py
@@ -265,6 +265,10 @@ class TestHTMLSanitizer(unittest.TestCase):
         assert_equal(
             self.simple_tag_list(p), ['div', 'iframe', 'div'])
 
+    def test_html_sanitizer_form_elements(self):
+        p = utils.ForgeHTMLSanitizer('<p>test</p><form method="post" action="http://localhost/foo.php"><input
type=file><input type=text><textarea>asdf</textarea></form>')
+        assert_equal(self.simple_tag_list(p), ['p', 'p'])
+
 
 def test_ip_address():
     req = Mock()


Mime
View raw message