[webkit-changes] [228584] trunk/Websites/bugs.webkit.org

[commit-queue]

Title: [228584] trunk/Websites/bugs.webkit.org

Revision

228584

Author

commit-qu...@webkit.org

Date

2018-02-16 15:12:13 -0800 (Fri, 16 Feb 2018)

Log Message

Apply Bugzilla patches for CVE-2018-5123
https://bugs.webkit.org/show_bug.cgi?id=182884

Patch by Ling Ho <lin...@apple.com> on 2018-02-16
Reviewed by Alexey Proskuryakov.

* Bugzilla/CGI.pm:
(_prevent_unsafe_response):
(header):
* attachment.cgi:

Modified Paths

• trunk/Websites/bugs.webkit.org/Bugzilla/CGI.pm
• trunk/Websites/bugs.webkit.org/ChangeLog
• trunk/Websites/bugs.webkit.org/attachment.cgi

Diff

Modified: trunk/Websites/bugs.webkit.org/Bugzilla/CGI.pm (228583 => 228584)

--- trunk/Websites/bugs.webkit.org/Bugzilla/CGI.pm	2018-02-16 23:02:23 UTC (rev 228583)
+++ trunk/Websites/bugs.webkit.org/Bugzilla/CGI.pm	2018-02-16 23:12:13 UTC (rev 228584)
@@ -288,6 +288,69 @@
     }
 }
 
+our $ALLOW_UNSAFE_RESPONSE = 0;
+# responding to text/plain or text/html is safe
+# responding to any request with a referer header is safe
+# some things need to have unsafe responses (attachment.cgi)
+# everything else should get a 403.
+sub _prevent_unsafe_response {
+    my ($self, $headers) = @_;
+    my $safe_content_type_re = qr{
+        ^ (*COMMIT) # COMMIT makes the regex faster
+                    # by preventing back-tracking. see also perldoc pelre.
+        # application/x-_javascript_, xml, atom+xml, rdf+xml, xml-dtd, and json
+        (?: application/ (?: x(?: -_javascript_ | ml (?: -dtd )? )
+                           | (?: atom | rdf) \+ xml
+                           | json )
+        # text/csv, text/calendar, text/plain, and text/html
+          | text/ (?: c (?: alendar | sv )
+                    | plain
+                    | html )
+        # used for HTTP push responses
+          | multipart/x-mixed-replace)
+    }sx;
+    my $safe_referer_re = do {
+        # Note that urlbase must end with a /.
+        # It almost certainly does, but let's be extra careful.
+        my $urlbase = correct_urlbase();
+        $urlbase =~ s{/$}{};
+        qr{
+            # Begins with literal urlbase
+            ^ (*COMMIT)
+            \Q$urlbase\E
+            # followed by a slash or end of string
+            (?: /
+              | $ )
+        }sx
+    };
+
+    return if $ALLOW_UNSAFE_RESPONSE;
+
+    if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) {
+        # Safe content types are ones that arn't images.
+        # For now let's assume plain text and html are not valid images.
+        my $content_type         = $headers->{'-type'} // $headers->{'-content_type'} // 'text/html';
+        my $is_safe_content_type = $content_type =~ $safe_content_type_re;
+
+        # Safe referers are ones that begin with the urlbase.
+        my $referer         = $self->referer;
+        my $is_safe_referer = $referer && $referer =~ $safe_referer_re;
+
+        if (!$is_safe_referer && !$is_safe_content_type) {
+            print $self->SUPER::header(-type => 'text/html',  -status => '403 Forbidden');
+            if ($content_type ne 'text/html') {
+                print "Untrusted Referer Header\n";
+                if ($ENV{MOD_PERL}) {
+                    my $r = $self->r;
+                    $r->rflush;
+                    $r->status(200);
+                }
+            }
+            exit;
+        }
+    }
+}
+
 # Override header so we can add the cookies in
 sub header {
     my $self = shift;
@@ -302,6 +365,7 @@
     else {
         %headers = @_;
     }
+    $self->_prevent_unsafe_response(\%headers);
 
     if ($self->{'_content_disp'}) {
         $headers{'-content_disposition'} = $self->{'_content_disp'};

Modified: trunk/Websites/bugs.webkit.org/ChangeLog (228583 => 228584)

--- trunk/Websites/bugs.webkit.org/ChangeLog	2018-02-16 23:02:23 UTC (rev 228583)
+++ trunk/Websites/bugs.webkit.org/ChangeLog	2018-02-16 23:12:13 UTC (rev 228584)
@@ -1,3 +1,15 @@
+2018-02-16  Ling Ho  <lin...@apple.com>
+
+        Apply Bugzilla patches for CVE-2018-5123
+        https://bugs.webkit.org/show_bug.cgi?id=182884
+
+        Reviewed by Alexey Proskuryakov.
+
+        * Bugzilla/CGI.pm:
+        (_prevent_unsafe_response):
+        (header):
+        * attachment.cgi:
+
 2017-06-22  Carlos Alberto Lopez Perez  <clo...@igalia.com>
 
         pretty patch doesn't show image diffs with newer versions of git

Modified: trunk/Websites/bugs.webkit.org/attachment.cgi (228583 => 228584)

--- trunk/Websites/bugs.webkit.org/attachment.cgi	2018-02-16 23:02:23 UTC (rev 228583)
+++ trunk/Websites/bugs.webkit.org/attachment.cgi	2018-02-16 23:12:13 UTC (rev 228584)
@@ -39,6 +39,7 @@
 local our $cgi = Bugzilla->cgi;
 local our $template = Bugzilla->template;
 local our $vars = {};
+local $Bugzilla::CGI::ALLOW_UNSAFE_RESPONSE = 1;
 
 # All calls to this script should contain an "action" variable whose
 # value determines what the user wants to do.  The code below checks

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes