Mahara

Avoid relying on TinyMCE code stripping alone

  1. Series 17.04
  2. Bug #1744789
Bug #1744789 reported by Robert Lyon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Robert Lyon
Mahara 18.04.0
16.10
Fix Released
High
Unassigned
Mahara 16.10.9
17.04
Fix Released
High
Unassigned
Mahara 17.04.7
17.10
Fix Released
High
Unassigned
Mahara 17.10.4
18.04
Fix Released
High
Robert Lyon
Mahara 18.04.0
18.10
Fix Released
High
Unassigned
Mahara 18.10.0

Bug Description

TinyMCE will strip bad strings from input, eg <script> tags but we must make sure we don't just rely on that alone. We should also clean up input on the server/php end as one can create their own packet of POST data containing bad content to hit the server with.

This can be seen in the Wall plugin where we can make a wallpost POST package have a bad 'text' value and have it save unaltered.

CVE References

Revision history for this message
Robert Lyon (robertl-9) wrote :

Need to check all the places where the tinymce is used for a form field and make sure it is being saved in a safe way on the php side

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Discoverer credit: 陈瑞琦 (Chen Ruiqi)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8784
Committed: https://git.mahara.org/mahara/mahara/commit/8a8b21e4014137680da34d00af76c608c3f8b222
Submitter: Robert Lyon (<email address hidden>)
Branch: 18.04_STABLE

commit 8a8b21e4014137680da34d00af76c608c3f8b222
Author: Robert Lyon <email address hidden>
Date: Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "17.10_STABLE" branch: https://reviews.mahara.org/8785

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "17.04_STABLE" branch: https://reviews.mahara.org/8786

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "16.10_STABLE" branch: https://reviews.mahara.org/8787

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8787
Committed: https://git.mahara.org/mahara/mahara/commit/b0bdbc78e23ae0b5905fa50c6faed5803fdba6f4
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit b0bdbc78e23ae0b5905fa50c6faed5803fdba6f4
Author: Robert Lyon <email address hidden>
Date: Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)
(cherry picked from commit 8a8b21e4014137680da34d00af76c608c3f8b222)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8785
Committed: https://git.mahara.org/mahara/mahara/commit/bc568169ba3fc7aae348fe8e4b190d1a3d691a74
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.10_STABLE

commit bc568169ba3fc7aae348fe8e4b190d1a3d691a74
Author: Robert Lyon <email address hidden>
Date: Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)
(cherry picked from commit 8a8b21e4014137680da34d00af76c608c3f8b222)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8786
Committed: https://git.mahara.org/mahara/mahara/commit/4037f9bf730cfb995b89db11fe93d83b06bf6fc8
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit 4037f9bf730cfb995b89db11fe93d83b06bf6fc8
Author: Robert Lyon <email address hidden>
Date: Thu Jan 18 10:43:37 2018 +1300

Security Bug 1744789: Remove bad code from wallpost post

We currently escape post content before submission
But we also need to do cleaning on php side incase hacker posts directly

Also needing to clean up annotations with bad html in their
descriptions and resume composite fields with bad html in their
descriptions

behatnotneeded

Change-Id: I8c7def1acad7b6692a96b2ba065c23abcd69cfb5
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit cff112250a5710b7a897e0f392a429cd29779ecc)
(cherry picked from commit 8a8b21e4014137680da34d00af76c608c3f8b222)

Robert Lyon (robertl-9)
information type: Private Security → Public Security
Robert Lyon (robertl-9)
summary: - Avoid relying on TinyMCE code stipping alone
+ Avoid relying on TinyMCE code stripping alone
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.