Your message dated Thu, 17 Jun 2010 15:35:20 +0000
with message-id <[email protected]>
and subject line Bug#586061: fixed in php-htmlpurifier 4.1.1+dfsg1-1
has caused the Debian Bug report #586061,
regarding php-htmlpurifier: new upstream release includes fix for XSS on IE
(fix in 4.1.0 wasn't good enough)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
586061: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586061
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: php-htmlpurifier
Version: 4.1.0+dfsg1-1
Severity: grave
Tags: patch
The new 4.1.1 upstream release says:
"HTML Purifier 4.1.1 is a major security and bugfix release that
improves on 4.1's fix for an XSS vulnerability exploitable on Internet
Explorer."
I have attached a patch which is the upstream fix for it
(d3abcb90e30592c619047d878cf9c72b7c5836a3) but a simpler fix is just to upgrade
to the latest upstream release.
Cheers,
Francois
diff --git a/library/HTMLPurifier/AttrDef.php b/library/HTMLPurifier/AttrDef.php
index d32fa62..b2e4f36 100644
--- a/library/HTMLPurifier/AttrDef.php
+++ b/library/HTMLPurifier/AttrDef.php
@@ -82,6 +82,42 @@ abstract class HTMLPurifier_AttrDef
return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string);
}
+ /**
+ * Parses a possibly escaped CSS string and returns the "pure"
+ * version of it.
+ */
+ protected function expandCSSEscape($string) {
+ // flexibly parse it
+ $ret = '';
+ for ($i = 0, $c = strlen($string); $i < $c; $i++) {
+ if ($string[$i] === '\\') {
+ $i++;
+ if ($i >= $c) {
+ $ret .= '\\';
+ break;
+ }
+ if (ctype_xdigit($string[$i])) {
+ $code = $string[$i];
+ for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
+ if (!ctype_xdigit($string[$i])) break;
+ $code .= $string[$i];
+ }
+ // We have to be extremely careful when adding
+ // new characters, to make sure we're not breaking
+ // the encoding.
+ $char = HTMLPurifier_Encoder::unichr(hexdec($code));
+ if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
+ $ret .= $char;
+ if ($i < $c && trim($string[$i]) !== '') $i--;
+ continue;
+ }
+ if ($string[$i] === "\n") continue;
+ }
+ $ret .= $string[$i];
+ }
+ return $ret;
+ }
+
}
// vim: et sw=4 sts=4
diff --git a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
index 705ac89..42c2054 100644
--- a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
+++ b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
@@ -34,37 +34,10 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
$quote = $font[0];
if ($font[$length - 1] !== $quote) continue;
$font = substr($font, 1, $length - 2);
+ }
- $new_font = '';
- for ($i = 0, $c = strlen($font); $i < $c; $i++) {
- if ($font[$i] === '\\') {
- $i++;
- if ($i >= $c) {
- $new_font .= '\\';
- break;
- }
- if (ctype_xdigit($font[$i])) {
- $code = $font[$i];
- for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
- if (!ctype_xdigit($font[$i])) break;
- $code .= $font[$i];
- }
- // We have to be extremely careful when adding
- // new characters, to make sure we're not breaking
- // the encoding.
- $char = HTMLPurifier_Encoder::unichr(hexdec($code));
- if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
- $new_font .= $char;
- if ($i < $c && trim($font[$i]) !== '') $i--;
- continue;
- }
- if ($font[$i] === "\n") continue;
- }
- $new_font .= $font[$i];
- }
+ $font = $this->expandCSSEscape($font);
- $font = $new_font;
- }
// $font is a pure representation of the font name
if (ctype_alnum($font) && $font !== '') {
@@ -73,12 +46,21 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
continue;
}
- // complicated font, requires quoting
+ // bugger out on whitespace. form feed (0C) really
+ // shouldn't show up regardless
+ $font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
- // armor single quotes and new lines
- $font = str_replace("\\", "\\\\", $font);
- $font = str_replace("'", "\\'", $font);
- $final .= "'$font', ";
+ // These ugly transforms don't pose a security
+ // risk (as \\ and \" might). We could try to be clever and
+ // use single-quote wrapping when there is a double quote
+ // present, but I have choosen not to implement that.
+ // (warning: this code relies on the selection of quotation
+ // mark below)
+ $font = str_replace('\\', '\\5C ', $font);
+ $font = str_replace('"', '\\22 ', $font);
+
+ // complicated font, requires quoting
+ $final .= "\"$font\", "; // note that this will later get turned into "
}
$final = rtrim($final, ', ');
if ($final === '') return false;
diff --git a/library/HTMLPurifier/AttrDef/CSS/URI.php b/library/HTMLPurifier/AttrDef/CSS/URI.php
index 54b7d63..1df17dc 100644
--- a/library/HTMLPurifier/AttrDef/CSS/URI.php
+++ b/library/HTMLPurifier/AttrDef/CSS/URI.php
@@ -34,20 +34,16 @@ class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
$uri = substr($uri, 1, $new_length - 1);
}
- $keys = array( '(', ')', ',', ' ', '"', "'");
- $values = array('\\(', '\\)', '\\,', '\\ ', '\\"', "\\'");
- $uri = str_replace($values, $keys, $uri);
+ $uri = $this->expandCSSEscape($uri);
$result = parent::validate($uri, $config, $context);
if ($result === false) return false;
- // escape necessary characters according to CSS spec
- // except for the comma, none of these should appear in the
- // URI at all
- $result = str_replace($keys, $values, $result);
+ // extra sanity check; should have been done by URI
+ $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
- return "url('$result')";
+ return "url(\"$result\")";
}
--- End Message ---
--- Begin Message ---
Source: php-htmlpurifier
Source-Version: 4.1.1+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
php-htmlpurifier, which is due to be installed in the Debian FTP archive:
php-htmlpurifier_4.1.1+dfsg1-1.diff.gz
to main/p/php-htmlpurifier/php-htmlpurifier_4.1.1+dfsg1-1.diff.gz
php-htmlpurifier_4.1.1+dfsg1-1.dsc
to main/p/php-htmlpurifier/php-htmlpurifier_4.1.1+dfsg1-1.dsc
php-htmlpurifier_4.1.1+dfsg1-1_all.deb
to main/p/php-htmlpurifier/php-htmlpurifier_4.1.1+dfsg1-1_all.deb
php-htmlpurifier_4.1.1+dfsg1.orig.tar.gz
to main/p/php-htmlpurifier/php-htmlpurifier_4.1.1+dfsg1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <[email protected]> (supplier of updated php-htmlpurifier package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Thu, 17 Jun 2010 14:45:26 +0000
Source: php-htmlpurifier
Binary: php-htmlpurifier
Architecture: source all
Version: 4.1.1+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Christian Bayle <[email protected]>
Changed-By: Thorsten Glaser <[email protected]>
Description:
php-htmlpurifier - Standards-compliant HTML filter
Closes: 586061
Changes:
php-htmlpurifier (4.1.1+dfsg1-1) unstable; urgency=high
.
* New upstream release; upstream WHATSNEW says:
| HTML Purifier 4.1.1 is a major security and bugfix release that
| improves on 4.1's fix for an XSS vulnerability exploitable on Internet
| Explorer. It also contains a number of important bugfixes, including
| the removal of improper logic that could result in infinite loops and
| fixed parsing for single-attributes with entities with DirectLex.
* Set urgency=high due to second attempt at XSS bugfix, no CVE number
(SA39613) (Closes: #586061) (LP: #582576)
* /usr/share/php-htmlpurifier/tests/index.php no longer has a shebang,
so do not chmod +x it
Checksums-Sha1:
03441c3c10a90200ce8c959f219db7330d7619e2 1795
php-htmlpurifier_4.1.1+dfsg1-1.dsc
13ee79801e19ea5f0f316b9beb6941170a7ab4a3 554765
php-htmlpurifier_4.1.1+dfsg1.orig.tar.gz
5aa028ed6dab518974a11b0612c376ed8ec33d0f 3533
php-htmlpurifier_4.1.1+dfsg1-1.diff.gz
8b28cbc5fee84a0c3a016caa72456fb596faabad 554852
php-htmlpurifier_4.1.1+dfsg1-1_all.deb
Checksums-Sha256:
1294b99e95d7a62305b5ef8a8c4afe38c3169b44690a3693d59efaeafc4448fa 1795
php-htmlpurifier_4.1.1+dfsg1-1.dsc
2c3dd31cf3304a0e6cfb56fde05058f793108b20dfffb27544eb8a8d09add778 554765
php-htmlpurifier_4.1.1+dfsg1.orig.tar.gz
b6ae32821837ca5933f662d5fb1358ed8ebe2e08813455524b584e89160f3505 3533
php-htmlpurifier_4.1.1+dfsg1-1.diff.gz
aac00541ee52f6c03a8675a1395398b4fd2d9fb548b87e475de122153415cc7e 554852
php-htmlpurifier_4.1.1+dfsg1-1_all.deb
Files:
ead316fb232600abd5b987aaaca691a8 1795 php optional
php-htmlpurifier_4.1.1+dfsg1-1.dsc
6f28f2d9fd6844c5b737198aa232495c 554765 php optional
php-htmlpurifier_4.1.1+dfsg1.orig.tar.gz
8335e7b3e59f56a4a68db694a10f5415 3533 php optional
php-htmlpurifier_4.1.1+dfsg1-1.diff.gz
b6a92cb247cdfa7961f7628cee24c681 554852 php optional
php-htmlpurifier_4.1.1+dfsg1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MirBSD)
iQIVAwUBTBo2Ina1NLLpkAfgAQkxbhAAzdvWIeaL/c1OcnlRTEsS2TnfNEi5MWCR
homXatXK6xBG7Q0eP5VFFYSc6lBpRhdTtGVdFkxB+B6QrgY8HaoryWEE/ZhDTrVw
9+W05zrLGlWx0xyl4pL1iiwImTzXJZr4LrTi5mxAojM9Ep3aqYq7kN7IMBbSKwpX
YGT2BJQjxKYrz+n9lk3ao4JHgl/GEcr6nRHBhC8XooZGLfzTXywBLvcV63wxlmbI
Ood5fhoKoEGMOMi0w229smyUwpYt4DUm+E93oH5C7L1f0rZhMXcJYv1qyJ85x3yr
4gaa/gHdgSWPE8yKt0gTzQvaeZ/UtgZ4R6aO90xsVg51q27AxWFTppal8Zbo2qsc
dwvjVOuHlVPSxxOrcVFawbDrw63SNy2ABGwxcSLivoHL6bA/vBz2KVYz36QpUyPP
PVM5sKd410B7c9VbyH7QVFTKRGlWY4yMaCU+LsBAIMm7nRAZa2oHlc/mHGTRWq7t
ng3Qi4mDuKJeOVsxsUgiONRpwX90uVkdPd6bbFHaz4CVi2pJcwc0oWl3fC5ziDC5
hFrYY4grr9guK+7cFt0YqYIFWH4TBwqh/2+wP+YvyCPiEjBM5VaVAZ8m0AZ3Fwwn
1DvNAxB4ULtd7c1YnXpEBV7SWPMTJRjzZxegD5YiRuI/uBi11omAaRZk2JvYisDr
MiZPqRbNBS8=
=ntFa
-----END PGP SIGNATURE-----
--- End Message ---
