• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7846: Sanitize parameters

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Extension HeadlinesPlugin Normal Closed   patch 6.1.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

-- TWiki:Main/PeterThoeny - 2018-07-13

Patch:

Index: data/TWiki/HeadlinesPlugin.txt
===================================================================
--- data/TWiki/HeadlinesPlugin.txt	(revision 30550)
+++ data/TWiki/HeadlinesPlugin.txt	(working copy)
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="TWikiContributor" date="1530841159" format="1.1" version="$Rev$"}%
+%META:TOPICINFO{author="TWikiContributor" date="1531506468" format="1.1" version="$Rev$"}%
 ---+!! Headlines Plugin
 <!--
    Contributions to this plugin are appreciated. Please update the plugin page at
@@ -105,17 +105,6 @@
 
 %HEADLINES{ "http://slashdot.org/slashdot.rdf" header="---+!! [[$link][$title]]$n $description" format="$t* [[$link][$title]]" limit="4" }%
 
----+++ Wired Enterprise Feed
-
-Write
-<verbatim>
-%HEADLINES{ "http://feeds.wired.com/wiredenterprise/" limit="3" }%
-</verbatim>
-
-to get the latest postings on the Wired.com feed on enterprise:
-
-%HEADLINES{ "http://feeds.wired.com/wiredenterprise/" limit="3" }%
-
 ---++ Plugin Settings
 
 Plugin settings are stored as preferences settings. Do __not__ change the settings here, they are here only for 
illustration purposes showing the default values. Define the settings in [[%LOCALSITEPREFS%]]. For example, to cu
stomize the =HEADLINESPLUGIN_USERAGENTNAME= setting, add a =* Set HEADLINESPLUGIN_USERAGENTNAME = ...= bullet in 
[[%LOCALSITEPREFS%]].
@@ -147,6 +136,9 @@
       * Set HEADLINESPLUGIN_FORMAT = <div class="headlinesArticle"><div class="headlinesTitle"><a href="$link">$
title</a></div>$n<span class="headlinesDate">$date</span> <span class="headlinesCreator"> $creator</span> <span class="headlinesSubject"> $subject </span>$n<div class="headlinesText"> $description</div></div>
 </verbatim>
 
+   * Allow HTML in header and format parameters of the HEADLINES variable. If set to =0=, HTML is *not* allowed 
those in parameters. This is to guard against Cross-Site Scripting (XSS) attacks. The HEADLINESPLUGIN_HEADER and 
HEADLINESPLUGIN_FORMAT plugin settings allow HTML regardless of this setting.
+      * Set HEADLINESPLUGIN_ALLOWHTML = 0
+
    * Values taken from configure: (only supported if CPAN:LWP is installed)
       * =$TWiki::cfg{PROXY}{HOST}= - proxy host, such as ="proxy.example.com";=
       * =$TWiki::cfg{PROXY}{PORT}= - proxy port, such as ="8080";=
@@ -211,13 +203,14 @@
 |  Plugin Author: | TWiki:Main.PeterThoeny, TWiki:Main.MichaelDaum |
 |  Copyright: | &copy; 2002-2018 Peter Thoeny, [[http://twiki.org/][TWiki.org]];%BR% &copy; 2002-2018 TWiki:TWiki.TWikiContributor; %BR% &copy; 2005-2007 Michael Daum wikiring.de |
 |  License: | GPL ([[http://www.gnu.org/copyleft/gpl.html][GNU General Public License]]) |
-|  Plugin Version: | 2018-07-05 |
+|  Plugin Version: | 2018-07-13 |
 %TWISTY{
  mode="div"
  showlink="Show Change History %ICONURL{toggleopen}%"
  hidelink="Hide Change History %ICONURL{toggleclose}% "
 }%
 %TABLE{ tablewidth="100%" columnwidths="170," }%
+|  2018-07-13: | TWikibug:Item7846: Sanitize parameters; add HEADLINESPLUGIN_ALLOWHTML setting; remove non funct
ional Wired feed example |
 |  2018-07-05: | TWikibug:Item7841: Copyright update to 2018 |
 |  2016-01-08: | TWikibug:Item7708: Copyright update to 2016 |
 |  2015-11-06: | TWikibug:Item7697: New filter and newline parameters; fix Atom feed parser to support Google Al
erts |
Index: lib/TWiki/Plugins/HeadlinesPlugin/Core.pm
===================================================================
--- lib/TWiki/Plugins/HeadlinesPlugin/Core.pm	(revision 30550)
+++ lib/TWiki/Plugins/HeadlinesPlugin/Core.pm	(working copy)
@@ -289,12 +289,13 @@
 
   # Get plugin preferences
   my $this = {
-      defaultRefresh => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_REFRESH') || 60,
-      defaultLimit   => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_LIMIT') || 100,
-      defaultHeader  => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_HEADER') ||
+      defaultRefresh   => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_REFRESH') || 60,
+      defaultLimit     => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_LIMIT') || 100,
+      defaultHeader    => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_HEADER') ||
         '<div class="headlinesChannel"><div class="headlinesLogo"><img src="$imageurl" alt="$imagetitle" border=
"0" />%BR%</div><div class="headlinesTitle">$n---+!! <a href="$link">$title</a></div><div class="headlinesDate">$
date</div><div class="headlinesDescription">$description</div><div class="headlinesRight">$rights</div></div>',
-      defaultFormat  => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_FORMAT') ||
+      defaultFormat    => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_FORMAT') ||
         '<div class="headlinesArticle"><div class="headlinesTitle"><a href="$link">$title</a></div>$n<span class
="headlinesDate">$date</span> <span class="headlinesCreator"> $creator</span> <span class="headlinesSubject"> $su
bject </span>$n<div class="headlinesText"> $description</div></div>',
+      allowHTML        => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_ALLOWHTML'),
       useLWPUserAgent  => TWiki::Func::getPreferencesValue('HEADLINESPLUGIN_USELWPUSERAGENT') || 1,
       userAgentTimeout => TWiki::Func::getPreferencesValue("HEADLINESPLUGIN_USERAGENTTIMEOUT") || 20,
       userAgentName    => TWiki::Func::getPreferencesValue("HEADLINESPLUGIN_USERAGENTNAME") ||
@@ -414,19 +415,29 @@
   my $href    = $params->{_DEFAULT} || $params->{href};
   my $refresh = $params->{refresh}  || $this->{defaultRefresh};
   my $limit   = $params->{limit}    || $this->{defaultLimit};
-  my $header  = $params->{header}   || $this->{defaultHeader};
-  my $format  = $params->{format}   || $this->{defaultFormat};
+  my $header  = $params->{header}   || '';
+  my $format  = $params->{format}   || '';
   my $touch   = $params->{touch}    || '';
   my $newline = $params->{newline}  || '';
   my $filter  = $params->{filter}   || '';
 
-  $header =~ s/\$n([^a-zA-Z])/\n$1/gos; # expand "$n" to new line
-  $header =~ s/([^\n])$/$1\n/os;        # append new line if needed
-  $header =~ s/\$percnt/\%/gos;
-  $format =~ s/\$n([^a-zA-Z])/\n$1/gos; # expand "$n" to new line
-  $format =~ s/([^\n])$/$1\n/os;        # append new line if needed
-  $format =~ s/\$t\b/\t/go;
-  $format =~ s/\$percnt/\%/gos;
+  # Item7846: Sanitize parameters
+  $href    =~ s/['"<>`]//gos;            # filter out problematic chars
+  $refresh =~ s/[^0-9\.]//gos;           # filter out non-numerals
+  $limit   =~ s/[^0-9]//gos;             # filter out non-numerals
+  $header  =~ s/['"<>`]//gos unless($this->{allowHTML}); # filter out problematic chars
+  $header = $this->{defaultHeader} unless( $header );
+  $header  =~ s/\$n([^a-zA-Z])/\n$1/gos; # expand "$n" to new line
+  $header  =~ s/([^\n])$/$1\n/os;        # append new line if needed
+  $header  =~ s/\$percnt/\%/gos;
+  $format  =~ s/['"<>`]//gos unless($this->{allowHTML}); # filter out problematic chars
+  $format = $this->{defaultFormat} unless( $format );
+  $format  =~ s/\$n([^a-zA-Z])/\n$1/gos; # expand "$n" to new line
+  $format  =~ s/([^\n])$/$1\n/os;        # append new line if needed
+  $format  =~ s/\$t\b/\t/go;
+  $format  =~ s/\$percnt/\%/gos;
+  $touch   =~ s/['"<>`]//gos;            # filter out problematic chars
+  $newline =~ s/['"<>`]//gos;            # filter out problematic chars
 
   unless($href) {
     return errorMsg("href parameter (news source) is missing");
@@ -459,7 +470,7 @@
     $raw =~ s/\n/$newline/gos;
   }
   if($filter) {
-    $raw =~ s/$filter//gos;
+    $raw =~ s/$filter//gs;
   }
 
   # distinguish rss from atom
Index: lib/TWiki/Plugins/HeadlinesPlugin.pm
===================================================================
--- lib/TWiki/Plugins/HeadlinesPlugin.pm	(revision 30550)
+++ lib/TWiki/Plugins/HeadlinesPlugin.pm	(working copy)
@@ -28,7 +28,7 @@
 
 # =========================
 our $VERSION = '$Rev$';
-our $RELEASE = '2018-07-05';
+our $RELEASE = '2018-07-13';
 our $NO_PREFS_IN_TOPIC = 1;
 our $SHORTDESCRIPTION = 'Show headline news in TWiki pages based on RSS and ATOM news feeds from external sites'
;
 our $core;

Follow-up patch:

Index: lib/TWiki/Plugins/HeadlinesPlugin/Core.pm
===================================================================
--- lib/TWiki/Plugins/HeadlinesPlugin/Core.pm   (revision 30559)
+++ lib/TWiki/Plugins/HeadlinesPlugin/Core.pm   (working copy)
@@ -495,11 +495,10 @@
   my $text = '';
   my $baseRef = '';
 
+  $raw =~ s/<script[^>]*>(.*?)<\/script>//gos; # strip all scripts
   if ($raw =~ /<channel[^>]*>(.*?)<\/channel>/s) {
     $sub = $1;
-    if ($sub =~ /(.*?)<item[^>]*>/g) {
-      $sub = $1;  # cut stuff above all <item>s
-    }
+    $sub =~ /<items[^>]*>.*?<\/items>/os; # remove items
     if ($sub =~ /<title[^>]*>(.*?)<\/title>/) {
       $val = &recode($1);
       $header =~ s/\$(channel)?title/$val/gos;

-- TWiki:Main.PeterThoeny - 2018-07-14

ItemTemplate
Summary Sanitize parameters
ReportedBy TWiki:Main.PeterThoeny
Codebase ~twiki4, 6.0.2
SVN Range TWiki-6.0.2-trunk, Sat, 07 Jul 2018, build 30509
AppliesTo Extension
Component HeadlinesPlugin
Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:30558 TWikirev:30559 TWikirev:30560 TWikirev:30561
TargetRelease patch
ReleasedIn 6.1.0
Edit | Attach | Watch | Print version | History: r9 < r8 < r7 < r6 < r5 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r9 - 2018-07-17 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback