| Patch taken from Debian (via upstream pull request that is still pending) |
| |
| http://sources.debian.net/src/ruby-redcloth/4.2.9-4/debian/patches/0001-Filter-out-javascript-links-when-using-filter_html-o.patch/ |
| https://github.com/jgarber/redcloth/pull/20/commits |
| |
| From b3d82f0c3a354a2f589e1fd43f5f1d7e427b530e Mon Sep 17 00:00:00 2001 |
| From: Antonio Terceiro <terceiro@debian.org> |
| Date: Sat, 7 Feb 2015 23:27:39 -0200 |
| Subject: [PATCH] Filter out 'javascript:' links when using filter_html or |
| sanitize_html |
| |
| This is a fix for CVE-2012-6684 |
| --- |
| lib/redcloth/formatters/html.rb | 6 +++++- |
| spec/security/CVE-2012-6684_spec.rb | 14 ++++++++++++++ |
| 2 files changed, 19 insertions(+), 1 deletion(-) |
| create mode 100644 spec/security/CVE-2012-6684_spec.rb |
| |
| diff --git a/lib/redcloth/formatters/html.rb b/lib/redcloth/formatters/html.rb |
| index bfadfb7..b8793b2 100644 |
| --- a/lib/redcloth/formatters/html.rb |
| +++ b/lib/redcloth/formatters/html.rb |
| @@ -111,7 +111,11 @@ module RedCloth::Formatters::HTML |
| end |
| |
| def link(opts) |
| - "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" |
| + if (filter_html || sanitize_html) && opts[:href] =~ /^\s*javascript:/ |
| + opts[:name] |
| + else |
| + "<a href=\"#{escape_attribute opts[:href]}\"#{pba(opts)}>#{opts[:name]}</a>" |
| + end |
| end |
| |
| def image(opts) |
| diff --git a/spec/security/CVE-2012-6684_spec.rb b/spec/security/CVE-2012-6684_spec.rb |
| new file mode 100644 |
| index 0000000..05219fd |
| --- /dev/null |
| +++ b/spec/security/CVE-2012-6684_spec.rb |
| @@ -0,0 +1,14 @@ |
| +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684 |
| + |
| +require 'redcloth' |
| + |
| +describe 'CVE-2012-6684' do |
| + |
| + it 'should not let javascript links pass through' do |
| + # PoC from http://co3k.org/blog/redcloth-unfixed-xss-en |
| + output = RedCloth.new('["clickme":javascript:alert(%27XSS%27)]', [:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html |
| + expect(output).to_not match(/href=.javascript:alert/) |
| + end |
| + |
| + |
| +end |
| -- |
| 2.1.4 |
| |