On Thu, 27 Apr 2000, Jeremy Howard wrote:
> I'm interested in providing 'HTML email' support for my users (like
> HotMail, Outlook Express, Eudora 4.0, etc provide), but I'm very
> nervous about security. Essentially, providing HTML email involves
> letting any arbitrary HTML get displayed by Apache...
>
> Has anyone done this, or can anyone provide any tips on what the
> minimum amount of HTML laundering I need to do to avoid security
> holes? I say 'minimum', because I would like to maximise the amount of
> working HTML users can receive.
>
> I assume I don't have to worry about PHP/EmbPerl/etc tags, since by
> the time mod_perl is finished with it, it's too late for other
> handlers to step in (unless I specifically chain them). Is that right?
Assuming you never write out temporary files to disk in a web accessible
location containing user accessible info, then point the user to that temp
file directly.
> The only potential holes I can think of are 'javascript:' URLs, which
> I could just filter out, and cross-site scripting URLs (does anyone
> have any code that recognises hrefs with potential cross-site
> scripting problems?)
Sorry, you are out of luck. You either won't have the full HTML
functionality you want, or you won't be secure.
The very fact that Microsoft is still running into new issues in Hotmail
(even when considering only IE) should attest to that.
Your efforts need to be focused on risk management. How do you do your
authentication? Is it persistent? Is it completely cookie based,
completely URL based, HTTP basic auth based, or some combination? How
long is authentication good for? What do you let users do without
re-entering their password (eg. to change their password, they should have
to enter the existing one even if they have authenticated)? etc.
You should also really configure only allowing specific things though
instead of trying to filter out bad things. You still won't catch
everything, but that will catch things like about: URLs in IE (yup, you
can inject javascript using them), "mocha:" URLs in Navigator (guess
"javascript:" wasn't enough), etc.
Cookies are not secure and will never be secure. They may be "good
enough", and you may not have much choice, but they are still simply not
secure when you put everything together.
