Mahara

Use SafeCURL in external RSS block

Bug #1397736 reported by Aaron Wells
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Won't Fix
High
Aaron Wells
1.10
Won't Fix
High
Aaron Wells
15.04
Won't Fix
High
Aaron Wells
15.10
Won't Fix
High
Unassigned
16.04
Won't Fix
High
Unassigned
16.10
Won't Fix
High
Unassigned

Bug Description

For better security in the external RSS feed block, we should be using a library like SafeCURL to help guard against attacks.: https://github.com/fin1te/safecurl

See also bug 1394820

CVE References

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Patches:

https://reviews.mahara.org/4030
https://reviews.mahara.org/4031

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Hugh tells me that he's found some bugs in SafeCurl and has submitted patches for those, so we may want to hold off on this one until those bugs are patched.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Here are the issues that Hugh found with SafeCurl:

https://github.com/fin1te/safecurl/issues/14

https://github.com/fin1te/safecurl/issues/15

https://github.com/fin1te/safecurl/issues/16

https://github.com/fin1te/safecurl/issues/18

https://github.com/fin1te/safecurl/issues/19

Aaron Wells (u-aaronw)
information type: Public → Public Security
tags: added: externalfeed
Jinelle Foley-Barnes (jinelleb)
tags: added: no-behat-needed
Aaron Wells (u-aaronw)
no longer affects: mahara/1.8
Robert Lyon (robertl-9)
no longer affects: mahara/1.9
Revision history for this message
Aaron Wells (u-aaronw) wrote :

Hm, well, we haven't seen any updates from the SafeCurl project since Hugh posted those initial bug reports. On the other hand, it would still improve our security versus what we've currently got. It just has potentially a few unpatched holes.

So I think it's probably worth going ahead with this one, unless we can find a better equivalent library. If a better alternative arises in the future, it should be fairly simple to swap this one out with that one, since this one is designed as a "drop-in replacement" for the PHP curl_exec function.

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Oh, I guess one thing we should check is whether SafeCURL will work with PHP7, since it was written before PHP7 was released...

Revision history for this message
Aaron Wells (u-aaronw) wrote :

Abandoning this one. SafeCURL doesn't work with IPv6, which means we'd either have to arbitrarily require only RSS feeds at IPv4-addressed sites, or allow all IPv6 addresses, in which case we're not adding any security.

So with that downside, it's not worth the extra risk and upkeep of adding it.

Aaron Wells (u-aaronw)
Changed in mahara:
status: In Progress → Won't Fix
status: Won't Fix → In Progress
status: In Progress → Won't Fix
Revision history for this message
Aaron Wells (u-aaronw) wrote :

I was re-reading my previous remark and I wondered, "Why don't we just disallow raw IP addresses as URLs?"

But to clarify, that's not the issue. Even if a user enters a non-IP URL, SafeCURL extracts the domain name from the URL, resolves it to an IP address, and does some checking against that IP address.

So, if a Mahara user entered an RSS feed for a URL, and that URL was at a domain name whose only DNS records were IPv6 (as an increasing number will be in the days to come), SafeCURL would not be able to perform any validation on it. So we'd either have to give an IPv6-based site a free pass (in which case we're not really gaining any security) or we'd have to reject all IPv6-based sites (which would be a horrible user experience, because a user doesn't generally know the IP address of the sites they visit).

Robert Lyon (robertl-9)
Changed in mahara:
milestone: 16.04.1 → none
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.