Use SafeCURL in external RSS block

Bug #1397736 reported by Aaron Wells on 2014-11-30
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Aaron Wells
1.10
High
Aaron Wells
15.04
High
Aaron Wells
15.10
High
Unassigned
16.04
High
Unassigned
16.10
High
Unassigned

Bug Description

For better security in the external RSS feed block, we should be using a library like SafeCURL to help guard against attacks.: https://github.com/fin1te/safecurl

See also bug 1394820

CVE References

Aaron Wells (u-aaronw) wrote :

Hugh tells me that he's found some bugs in SafeCurl and has submitted patches for those, so we may want to hold off on this one until those bugs are patched.

Aaron Wells (u-aaronw) on 2015-01-12
information type: Public → Public Security
tags: added: externalfeed
tags: added: no-behat-needed
Aaron Wells (u-aaronw) on 2015-10-27
no longer affects: mahara/1.8
Robert Lyon (robertl-9) on 2015-11-18
no longer affects: mahara/1.9
Aaron Wells (u-aaronw) wrote :

Hm, well, we haven't seen any updates from the SafeCurl project since Hugh posted those initial bug reports. On the other hand, it would still improve our security versus what we've currently got. It just has potentially a few unpatched holes.

So I think it's probably worth going ahead with this one, unless we can find a better equivalent library. If a better alternative arises in the future, it should be fairly simple to swap this one out with that one, since this one is designed as a "drop-in replacement" for the PHP curl_exec function.

Aaron Wells (u-aaronw) wrote :

Oh, I guess one thing we should check is whether SafeCURL will work with PHP7, since it was written before PHP7 was released...

Aaron Wells (u-aaronw) wrote :

Abandoning this one. SafeCURL doesn't work with IPv6, which means we'd either have to arbitrarily require only RSS feeds at IPv4-addressed sites, or allow all IPv6 addresses, in which case we're not adding any security.

So with that downside, it's not worth the extra risk and upkeep of adding it.

Aaron Wells (u-aaronw) on 2016-07-05
Changed in mahara:
status: In Progress → Won't Fix
status: Won't Fix → In Progress
status: In Progress → Won't Fix
Aaron Wells (u-aaronw) wrote :

I was re-reading my previous remark and I wondered, "Why don't we just disallow raw IP addresses as URLs?"

But to clarify, that's not the issue. Even if a user enters a non-IP URL, SafeCURL extracts the domain name from the URL, resolves it to an IP address, and does some checking against that IP address.

So, if a Mahara user entered an RSS feed for a URL, and that URL was at a domain name whose only DNS records were IPv6 (as an increasing number will be in the days to come), SafeCURL would not be able to perform any validation on it. So we'd either have to give an IPv6-based site a free pass (in which case we're not really gaining any security) or we'd have to reject all IPv6-based sites (which would be a horrible user experience, because a user doesn't generally know the IP address of the sites they visit).

Robert Lyon (robertl-9) on 2016-07-10
Changed in mahara:
milestone: 16.04.1 → none
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers