Item7846 < Bugs

AppliesTo:	Component:	Priority:	CurrentState:	WaitingFor:	TargetRelease	ReleasedIn
Extension	HeadlinesPlugin	Normal	Closed		patch	6.1.0

- 2018-07-13

Patch:

Index: data/TWiki/HeadlinesPlugin.txt
===================================================================
--- data/TWiki/HeadlinesPlugin.txt	(revision 30550)
+++ data/TWiki/HeadlinesPlugin.txt	(working copy)
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="TWikiContributor" date="1530841159" format="1.1" version="$Rev$"}%
+%META:TOPICINFO{author="TWikiContributor" date="1531506468" format="1.1" version="$Rev$"}%
 ---+!! Headlines Plugin
 <!--
    Contributions to this plugin are appreciated. Please update the plugin page at
@@ -105,17 +105,6 @@
 
 %HEADLINES{ "http://slashdot.org/slashdot.rdf" header="---+!! [[$link][$title]]$n $description" format="$t* [[$link][$title]]" limit="4" }%
 
----+++ Wired Enterprise Feed
-
-Write
-<verbatim>
-%HEADLINES{ "http://feeds.wired.com/wiredenterprise/" limit="3" }%
-</verbatim>
-
-to get the latest postings on the Wired.com feed on enterprise:
-
-%HEADLINES{ "http://feeds.wired.com/wiredenterprise/" limit="3" }%
-
 ---++ Plugin Settings
 
 Plugin settings are stored as preferences settings. Do __not__ change the settings here, they are here only for 
illustration purposes showing the default values. Define the settings in [[%LOCALSITEPREFS%]]. For example, to cu
stomize the =HEADLINESPLUGIN_USERAGENTNAME= setting, add a =* Set HEADLINESPLUGIN_USERAGENTNAME = ...= bullet in 
[[%LOCALSITEPREFS%]].
@@ -147,6 +136,9 @@
       * Set HEADLINESPLUGIN_FORMAT = <div class="headlinesArticle"><div class="headlinesTitle"><a href="$link">$
title</a></div>$n<span class="headlinesDate">$date</span> <span class="headlinesCreator"> $creator</span> <span class="headlinesSubject"> $subject </span>$n<div class="headlinesText"> $description</div></div>
 </verbatim>
 
+   * Allow HTML in header and format parameters of the HEADLINES variable. If set to =0=, HTML is *not* allowed 
those in parameters. This is to guard against Cross-Site Scripting (XSS) attacks. The HEADLINESPLUGIN_HEADER and 
HEADLINESPLUGIN_FORMAT plugin settings allow HTML regardless of this setting.
+      * Set HEADLINESPLUGIN_ALLOWHTML = 0
+
    * Values taken from configure: (only supported if CPAN:LWP is installed)
       * =$TWiki::cfg{PROXY}{HOST}= - proxy host, such as ="proxy.example.com";=
       * =$TWiki::cfg{PROXY}{PORT}= - proxy port, such as ="8080";=
@@ -211,13 +203,14 @@
 |  Plugin Author: | TWiki:Main.PeterThoeny, TWiki:Main.MichaelDaum |
 |  Copyright: | &copy; 2002-2018 Peter Thoeny, [[http://twiki.org/][TWiki.org]];%BR% &copy; 2002-2018 TWiki:TWiki.TWikiContributor; %BR% &copy; 2005-2007 Michael Daum wikiring.de |
 |  License: | GPL ([[http://www.gnu.org/copyleft/gpl.html][GNU General Public License]]) |
-|  Plugin Version: | 2018-07-05 |
+|  Plugin Version: | 2018-07-13 |
 %TWISTY{
  mode="div"
  showlink="Show Change History %ICONURL{toggleopen}%"
  hidelink="Hide Change History %ICONURL{toggleclose}% "
 }%
 %TABLE{ tablewidth="100%" columnwidths="170," }%
+|  2018-07-13: | TWikibug:Item7846: Sanitize parameters; add HEADLINESPLUGIN_ALLOWHTML setting; remove non funct
ional Wired feed example |
 |  2018-07-05: | TWikibug:Item7841: Copyright update to 2018 |
 |  2016-01-08: | TWikibug:Item7708: Copyright update to 2016 |
 |  2015-11-06: | TWikibug:Item7697: New filter and newline parameters; fix Atom feed parser to support Google Al
erts |
Index: lib/TWiki/Plugins/HeadlinesPlugin/Core.pm
===================================================================
--- lib/TWiki/Plugins/HeadlinesPlugin/Core.pm	(revision 30550)
+++ lib/TWiki/Plugins/HeadlinesPlugin/Core.pm	(working copy)
@@ -289,12 +289,13 @@
 
   # Get plugin preferences
   my $this = {
-      defaultRefresh => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_REFRESH') || 60,
-      defaultLimit   => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_LIMIT') || 100,
-      defaultHeader  => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_HEADER') ||
+      defaultRefresh   => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_REFRESH') || 60,
+      defaultLimit     => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_LIMIT') || 100,
+      defaultHeader    => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_HEADER') ||
         '<div class="headlinesChannel"><div class="headlinesLogo"><img src="$imageurl" alt="$imagetitle" border=
"0" />%BR%</div><div class="headlinesTitle">$n---+!! <a href="$link">$title</a></div><div class="headlinesDate">$
date</div><div class="headlinesDescription">$description</div><div class="headlinesRight">$rights</div></div>',
-      defaultFormat  => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_FORMAT') ||
+      defaultFormat    => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_FORMAT') ||
         '<div class="headlinesArticle"><div class="headlinesTitle"><a href="$link">$title</a></div>$n<span class
="headlinesDate">$date</span> <span class="headlinesCreator"> $creator</span> <span class="headlinesSubject"> $su
bject </span>$n<div class="headlinesText"> $description</div></div>',
+      allowHTML        => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_ALLOWHTML'),
       useLWPUserAgent  => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_USELWPUSERAGENT') || 1,
       userAgentTimeout => TWiki::Func::getPreferencesValue("HEADLINESPLUGIN_USERAGENTTIMEOUT") || 20,
       userAgentName    => TWiki::Func::getPreferencesValue("HEADLINESPLUGIN_USERAGENTNAME") ||
@@ -414,19 +415,29 @@
   my $href    = $params->{_DEFAULT} || $params->{href};
   my $refresh = $params->{refresh}  || $this->{defaultRefresh};
   my $limit   = $params->{limit}    || $this->{defaultLimit};
-  my $header  = $params->{header}   || $this->{defaultHeader};
-  my $format  = $params->{format}   || $this->{defaultFormat};
+  my $header  = $params->{header}   || '';
+  my $format  = $params->{format}   || '';
   my $touch   = $params->{touch}    || '';
   my $newline = $params->{newline}  || '';
   my $filter  = $params->{filter}   || '';
 
-  $header =~ s/\$n([^a-zA-Z])/\n$1/gos; # expand "$n" to new line
-  $header =~ s/([^\n])$/$1\n/os;        # append new line if needed
-  $header =~ s/\$percnt/\%/gos;
-  $format =~ s/\$n([^a-zA-Z])/\n$1/gos; # expand "$n" to new line
-  $format =~ s/([^\n])$/$1\n/os;        # append new line if needed
-  $format =~ s/\$t\b/\t/go;
-  $format =~ s/\$percnt/\%/gos;
+  # Item7846: Sanitize parameters
+  $href    =~ s/['"<>`]//gos;            # filter out problematic chars
+  $refresh =~ s/[^0-9\.]//gos;           # filter out non-numerals
+  $limit   =~ s/[^0-9]//gos;             # filter out non-numerals
+  $header  =~ s/['"<>`]//gos unless($this->{allowHTML}); # filter out problematic chars
+  $header = $this->{defaultHeader} unless( $header );
+  $header  =~ s/\$n([^a-zA-Z])/\n$1/gos; # expand "$n" to new line
+  $header  =~ s/([^\n])$/$1\n/os;        # append new line if needed
+  $header  =~ s/\$percnt/\%/gos;
+  $format  =~ s/['"<>`]//gos unless($this->{allowHTML}); # filter out problematic chars
+  $format = $this->{defaultFormat} unless( $format );
+  $format  =~ s/\$n([^a-zA-Z])/\n$1/gos; # expand "$n" to new line
+  $format  =~ s/([^\n])$/$1\n/os;        # append new line if needed
+  $format  =~ s/\$t\b/\t/go;
+  $format  =~ s/\$percnt/\%/gos;
+  $touch   =~ s/['"<>`]//gos;            # filter out problematic chars
+  $newline =~ s/['"<>`]//gos;            # filter out problematic chars
 
   unless($href) {
     return errorMsg("href parameter (news source) is missing");
@@ -459,7 +470,7 @@
     $raw =~ s/\n/$newline/gos;
   }
   if($filter) {
-    $raw =~ s/$filter//gos;
+    $raw =~ s/$filter//gs;
   }
 
   # distinguish rss from atom
Index: lib/TWiki/Plugins/HeadlinesPlugin.pm
===================================================================
--- lib/TWiki/Plugins/HeadlinesPlugin.pm	(revision 30550)
+++ lib/TWiki/Plugins/HeadlinesPlugin.pm	(working copy)
@@ -28,7 +28,7 @@
 
 # =========================
 our $VERSION = '$Rev$';
-our $RELEASE = '2018-07-05';
+our $RELEASE = '2018-07-13';
 our $NO_PREFS_IN_TOPIC = 1;
 our $SHORTDESCRIPTION = 'Show headline news in TWiki pages based on RSS and ATOM news feeds from external sites'
;
 our $core;

Follow-up patch:

Index: lib/TWiki/Plugins/HeadlinesPlugin/Core.pm
===================================================================
--- lib/TWiki/Plugins/HeadlinesPlugin/Core.pm   (revision 30559)
+++ lib/TWiki/Plugins/HeadlinesPlugin/Core.pm   (working copy)
@@ -495,11 +495,10 @@
   my $text = '';
   my $baseRef = '';
 
+  $raw =~ s/<script[^>]*>(.*?)<\/script>//gos; # strip all scripts
   if ($raw =~ /<channel[^>]*>(.*?)<\/channel>/s) {
     $sub = $1;
-    if ($sub =~ /(.*?)<item[^>]*>/g) {
-      $sub = $1;  # cut stuff above all <item>s
-    }
+    $sub =~ /<items[^>]*>.*?<\/items>/os; # remove items
     if ($sub =~ /<title[^>]*>(.*?)<\/title>/) {
       $val = &recode($1);
       $header =~ s/\$(channel)?title/$val/gos;

-- TWiki:Main.PeterThoeny - 2018-07-14

ItemTemplate
Summary	Sanitize parameters
ReportedBy	TWiki:Main.PeterThoeny
Codebase	~twiki4, 6.0.2
SVN Range	TWiki-6.0.2-trunk, Sat, 07 Jul 2018, build 30509
AppliesTo	Extension
Component	HeadlinesPlugin
Priority	Normal
CurrentState	Closed
WaitingFor
Checkins	TWikirev:30558 TWikirev:30559 TWikirev:30560 TWikirev:30561
TargetRelease	patch
ReleasedIn	6.1.0

Item7846: Sanitize parameters

Item Form Data

Edit Form Data

Detail