Avoid relying on TinyMCE code stripping alone

Bug #1744789 reported by Robert Lyon on 2018-01-22
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Status tracked in 18.10
16.10
High
Unassigned
17.04
High
Unassigned
17.10
High
Unassigned
18.04
High
Robert Lyon
18.10
High
Unassigned

Bug Description

TinyMCE will strip bad strings from input, eg <script> tags but we must make sure we don't just rely on that alone. We should also clean up input on the server/php end as one can create their own packet of POST data containing bad content to hit the server with.

This can be seen in the Wall plugin where we can make a wallpost POST package have a bad 'text' value and have it save unaltered.

CVE References

Robert Lyon (robertl-9) wrote :

Need to check all the places where the tinymce is used for a form field and make sure it is being saved in a safe way on the php side

Discoverer credit: 陈瑞琦 (Chen Ruiqi)

Reviewed: https://reviews.mahara.org/8784
Committed: https://git.mahara.org/mahara/mahara/commit/8a8b21e4014137680da34d00af76c608c3f8b222
Submitter: Robert Lyon (<email address hidden>)
Branch: 18.04_STABLE

commit 8a8b21e4014137680da34d00af76c608c3f8b222
Author: Robert Lyon <email address hidden>
Date: Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)

Mahara Bot (dev-mahara) wrote :

Patch for "17.04_STABLE" branch: https://reviews.mahara.org/8786

Mahara Bot (dev-mahara) wrote :

Patch for "16.10_STABLE" branch: https://reviews.mahara.org/8787

Reviewed: https://reviews.mahara.org/8787
Committed: https://git.mahara.org/mahara/mahara/commit/b0bdbc78e23ae0b5905fa50c6faed5803fdba6f4
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit b0bdbc78e23ae0b5905fa50c6faed5803fdba6f4
Author: Robert Lyon <email address hidden>
Date: Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)
(cherry picked from commit 8a8b21e4014137680da34d00af76c608c3f8b222)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8785
Committed: https://git.mahara.org/mahara/mahara/commit/bc568169ba3fc7aae348fe8e4b190d1a3d691a74
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.10_STABLE

commit bc568169ba3fc7aae348fe8e4b190d1a3d691a74
Author: Robert Lyon <email address hidden>
Date: Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)
(cherry picked from commit 8a8b21e4014137680da34d00af76c608c3f8b222)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8786
Committed: https://git.mahara.org/mahara/mahara/commit/4037f9bf730cfb995b89db11fe93d83b06bf6fc8
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit 4037f9bf730cfb995b89db11fe93d83b06bf6fc8
Author: Robert Lyon <email address hidden>
Date: Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)
(cherry picked from commit 8a8b21e4014137680da34d00af76c608c3f8b222)

Robert Lyon (robertl-9) on 2018-04-05
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2018-04-05
summary: - Avoid relying on TinyMCE code stipping alone
+ Avoid relying on TinyMCE code stripping alone
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers