You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sling.apache.org by ra...@apache.org on 2018/06/29 09:48:45 UTC
[sling-org-apache-sling-xss] branch issue/SLING-7741_v2 updated:
SLING-7741 - org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't
correctly handle the ":" character in URL fragments
This is an automated email from the ASF dual-hosted git repository.
radu pushed a commit to branch issue/SLING-7741_v2
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git
The following commit(s) were added to refs/heads/issue/SLING-7741_v2 by this push:
new af375b1 SLING-7741 - org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't correctly handle the ":" character in URL fragments
af375b1 is described below
commit af375b1267a26b7e743e865e98df1aa94965a1e5
Author: Radu Cotescu <ra...@apache.org>
AuthorDate: Fri Jun 29 11:48:04 2018 +0200
SLING-7741 - org.apache.sling.xss.impl.XSSAPIImpl#getValidHref doesn't correctly handle the ":" character in URL fragments
* expanded regex for relative references
* updated AntiSamy
---
pom.xml | 2 +-
src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java | 2 +-
src/main/resources/SLING-INF/content/config.xml | 2 +-
src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java | 4 ++++
4 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/pom.xml b/pom.xml
index 2883bcb..fbaa41e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -129,7 +129,7 @@
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
- <version>1.5.2</version>
+ <version>1.5.7</version>
<scope>provided</scope>
<exclusions>
<exclusion>
diff --git a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
index 079e7b2..49349da 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSFilterImpl.java
@@ -113,7 +113,7 @@ public class XSSFilterImpl implements XSSFilter, ResourceChangeListener, Externa
"(?:" + PATH_NOSCHEME + ")|" +
PATH_EMPTY + ")";
- public static final String RELATIVE_REF = "(?!\\s*javascript:)" + RELATIVE_PART + "(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
+ public static final String RELATIVE_REF = "(?!\\s*javascript(?::|:))" + RELATIVE_PART + "(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
public static final String URI = SCHEME_PATTERN + ":" + HIER_PART + "(?:\\?" + QUERY + ")?(?:#" + FRAGMENT + ")?";
diff --git a/src/main/resources/SLING-INF/content/config.xml b/src/main/resources/SLING-INF/content/config.xml
index bb893ae..e1cd3f4 100644
--- a/src/main/resources/SLING-INF/content/config.xml
+++ b/src/main/resources/SLING-INF/content/config.xml
@@ -69,7 +69,7 @@ http://www.w3.org/TR/html401/struct/global.html
<!-- Allow empty URL attributes with a '*'-quantifier instead of '+' for the first part of the regexp -->
<!-- Check org.apache.sling.xss.impl.XSSFilterImpl#RELATIVE_REF to understand the regexp -->
<regexp name="onsiteURL"
- value="(?!\s*javascript:)(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&'()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x3 [...]
+ value="(?!\s*javascript(?::|&colon;))(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&'()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\ [...]
<!-- Check org.apache.sling.xss.impl.XSSFilterImpl#URI to understand the regexp -->
<regexp name="offsiteURL"
value="(?!\s*javascript)\p{L}[\p{L}\p{N}+.\-]*:(?:(?://(?:(?:(?:(?:\p{L}\p{M}*)|[\p{N}-._~])|(?:%\p{XDigit}\p{XDigit})|(?:[!$&'()*+,;=]))*@)?(?:\[(?:(?:(?:\p{XDigit}{1,4}:){6}(?:(?:\p{XDigit}{1,4}:\p{XDigit}{1,4})|(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30-\x34]\p{N}|25[\x30-\x35])\.(?:\p{N}|[\x31-\x39]\p{N}|1\p{N}{2}|2[\x30- [...]
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index 25c6086..004e839 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -207,6 +207,10 @@ public class XSSAPIImplTest {
{"<a href=\"\">empty href</a>", "<a href=\"\">empty href</a>"},
{"<a href=\" javascript:alert(23)\">space</a>","<a>space</a>"},
{"<table background=\"http://www.google.com\"></table>", "<table></table>"},
+ // CVE-2017-14735
+ {"<a href=\"javascript:alert(23)\">X</a>", "<a>X</a>"},
+ // CVE-2016-10006
+ {"<style onload=\"alert(23)\">h1 {color:red;}</style>", "<style>h1 {\n\tcolor: red;\n}\n</style>"}
};
for (String[] aTestData : testData) {