implemented html sanitisation

diff --git a/IkiWiki/Render.pm b/IkiWiki/Render.pm
index dfa598da0e4e0f8773d9b19a83464ea52f408f13..d0d28e80276db70650a196323fea9054d79967cc 100644 (file)
--- a/IkiWiki/Render.pm
+++ b/IkiWiki/Render.pm
@@ -18,6 +18,40 @@ sub linkify ($$) { #{{{
        return $content;
 } #}}}
 
        return $content;
 } #}}}
 

+my $_scrubber;
+sub scrubber { #{{{
+       return $_scrubber if defined $_scrubber;
+       
+       eval q{use HTML::Scrubber};
+       # Lists based on http://feedparser.org/docs/html-sanitization.html
+       $_scrubber = HTML::Scrubber->new(
+               allow => [qw{
+                       a abbr acronym address area b big blockquote br
+                       button caption center cite code col colgroup dd del
+                       dfn dir div dl dt em fieldset font form h1 h2 h3 h4
+                       h5 h6 hr i img input ins kbd label legend li map
+                       menu ol optgroup option p pre q s samp select small
+                       span strike strong sub sup table tbody td textarea
+                       tfoot th thead tr tt u ul var
+               }],
+               default => [undef, { map { $_ => 1 } qw{
+                       abbr accept accept-charset accesskey action
+                       align alt axis border cellpadding cellspacing
+                       char charoff charset checked cite class
+                       clear cols colspan color compact coords
+                       datetime dir disabled enctype for frame
+                       headers height href hreflang hspace id ismap
+                       label lang longdesc maxlength media method
+                       multiple name nohref noshade nowrap prompt
+                       readonly rel rev rows rowspan rules scope
+                       selected shape size span src start summary
+                       tabindex target title type usemap valign
+                       value vspace width
+               }}],
+       );
+       return $_scrubber;
+} # }}}
+

 sub htmlize ($$) { #{{{
        my $type=shift;
        my $content=shift;
 sub htmlize ($$) { #{{{
        my $type=shift;
        my $content=shift;


@@ -30,11 +64,17 @@ sub htmlize ($$) { #{{{
        }
        
        if ($type eq '.mdwn') {
        }
        
        if ($type eq '.mdwn') {

-               return Markdown::Markdown($content);
+               $content=Markdown::Markdown($content);

        }
        else {
                error("htmlization of $type not supported");
        }
        }
        else {
                error("htmlization of $type not supported");
        }

+
+       if ($config{sanitize}) {
+               $content=scrubber()->scrub($content);
+       }
+       
+       return $content;

 } #}}}
 
 sub backlinks ($) { #{{{
 } #}}}
 
 sub backlinks ($) { #{{{

diff --git a/debian/control b/debian/control
index 9d2e0c4611eb7feb3c9cef6b575f4ce2534a9d54..66c21e8a575f0a3fb106145196c0bf1cce80a33c 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -1,13 +1,13 @@
 Source: ikiwiki
 Section: web
 Priority: optional
 Source: ikiwiki
 Section: web
 Priority: optional

-Build-Depends: debhelper (>= 5), dpkg-dev (>= 1.9.0), markdown, libhtml-template-perl
+Build-Depends: debhelper (>= 5), dpkg-dev (>= 1.9.0), markdown, libhtml-template-perl, libhtml-scrubber-perl

 Maintainer: Joey Hess <joeyh@debian.org>
 Standards-Version: 3.6.2
 
 Package: ikiwiki
 Architecture: all
 Maintainer: Joey Hess <joeyh@debian.org>
 Standards-Version: 3.6.2
 
 Package: ikiwiki
 Architecture: all

-Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler
+Depends: ${perl:Depends}, markdown, libtimedate-perl, libhtml-template-perl, libhtml-scrubber-perl, libcgi-formbuilder-perl (>= 3.02.02), libtime-duration-perl, libcgi-session-perl, libmail-sendmail-perl, gcc | c-compiler

 Recommends: subversion, hyperestraier
 Suggests: viewcvs
 Description: a wiki compiler
 Recommends: subversion, hyperestraier
 Suggests: viewcvs
 Description: a wiki compiler

diff --git a/doc/htmlsanitization.mdwn b/doc/htmlsanitization.mdwn
new file mode 100644 (file)
index 0000000..617753e
--- /dev/null
+++ b/doc/htmlsanitization.mdwn
@@ -0,0 +1,30 @@
+When run with the --sanitize switch, which is turned on by default (see
+[[usage]], ikiwiki sanitizes the html on pages it renders to avoid XSS
+attacks and the like.
+
+ikiwiki excludes all html tags and attributes except for those that are
+whitelisted using the same lists as used by Mark Pilgrim's Universal Feed
+Parser, documented at <http://feedparser.org/docs/html-sanitization.html>.
+Notably it strips `style`, `link`, and the `style` attribute.
+
+ikiwiki uses the HTML::Scrubber perl module to perform its html
+sanitisation, and this perl module also deals with various entity encoding
+tricks.
+
+While I beleive that this makes ikiwiki as resistant to malicious html
+content as anything else on the web, I cannot guarantee that it will
+actually protect every user of every browser from every browser security
+hole, badly designed feature, etc. I can provide NO WARRANTY, like it says
+in ikiwiki's [[GPL]] license. 
+
+The web's security model is *fundamntally broken*; ikiwiki's HTML
+sanitisation is only a patch on the underlying gaping hole that is your web
+browser.
+
+----
+
+Some examples of embedded javascript that won't be let through.
+
+<span style="background: url(javascript:window.location='http://example.org/')">test</span>
+<span style="&#x61;&#x6e;&#x79;&#x3a;&#x20;&#x65;&#x78;&#x70;&#x72;&#x65;&#x73;&#x73;&#x69;&#x6f;&#x6e;&#x28;&#x77;&#x69;&#x6e;&#x64;&#x6f;&#x77;&#x2e;&#x6c;&#x6f;&#x63;&#x61;&#x74;&#x69;&#x6f;&#x6e;&#x3d;&#x27;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x65;&#x78;&#x61;&#x6d;&#x70;&#x6c;&#x65;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x27;&#x29;">test</span>
+<span style="&#97;&#110;&#121;&#58;&#32;&#101;&#120;&#112;&#114;&#101;&#115;&#115;&#105;&#111;&#110;&#40;&#119;&#105;&#110;&#100;&#111;&#119;&#46;&#108;&#111;&#99;&#97;&#116;&#105;&#111;&#110;&#61;&#39;&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#101;&#120;&#97;&#109;&#112;&#108;&#101;&#46;&#111;&#114;&#103;&#47;&#39;&#41;">test</span>

diff --git a/doc/ikiwiki.setup b/doc/ikiwiki.setup
index c773855830eb7d0ea842666683ea154eb49da29c..9775b3194931922a481301c498061086b1de2aa2 100644 (file)
--- a/doc/ikiwiki.setup
+++ b/doc/ikiwiki.setup
@@ -50,4 +50,6 @@ use IkiWiki::Setup::Standard {
        rss => 1,
        # Use the Hyper Estraier search engine?
        #hyperestraier => 1,
        rss => 1,
        # Use the Hyper Estraier search engine?
        #hyperestraier => 1,

+       # Sanitize html?
+       sanitize => 1,

 }
 }

diff --git a/doc/news/sanitization.html b/doc/news/sanitization.html
new file mode 100644 (file)
index 0000000..6ce2541
--- /dev/null
+++ b/doc/news/sanitization.html
@@ -0,0 +1,7 @@
+ikiwiki's main outstanding security hole, lack of [[HtmlSanitization]] has
+now been addressed. ikiwiki now sanitizes html by default.
+
+If only trusted parties can edit your wiki's content, then you might want
+to turn this sanitization back off to allow use of potentially dangerous
+tags. To do so, pass --no-sanitize or set "sanitize => 0," in your
+[[ikiwiki.setup]].

diff --git a/doc/security.mdwn b/doc/security.mdwn
index bc5e318c9e900ad649e5cab22357ba21bc366786..00b8e88247205a342a461460da6ad11a02c13389 100644 (file)
--- a/doc/security.mdwn
+++ b/doc/security.mdwn
@@ -8,21 +8,18 @@ to be kept in mind.
 
 # Probable holes
 
 
 # Probable holes
 

-## html attacks
+## XSS holes in CGI output

 
 

-ikiwiki does not attempt to do any santization of the html on the wiki.
-[[MarkDown]] allows embedding of arbitrary html into a markdown document. If
-you let anyone else edit files on the wiki, then anyone can have fun exploiting
-the web browser bug of the day. This type of attack is typically referred
-to as an XSS attack ([google](http://www.google.com/search?q=xss+attack)).
+ikiwiki has not yet been audited to ensure that all cgi script output is
+sanitised to prevent XSS attacks.

 
 ## image files etc attacks
 
 If it enounters a file type it does not understand, ikiwiki just copies it
 into place. So if you let users add any kind of file they like, they can
 
 ## image files etc attacks
 
 If it enounters a file type it does not understand, ikiwiki just copies it
 into place. So if you let users add any kind of file they like, they can

-upload images, movies, windows executables, css files, etc. If these files
-exploit security holes in the browser of someone who's viewing the wiki,
-that can be a security problem.
+upload images, movies, windows executables, css files, etc (though not html
+files). If these files exploit security holes in the browser of someone
+who's viewing the wiki, that can be a security problem.

 
 Of course nobody else seems to worry about this in other wikis, so should we?
 
 
 Of course nobody else seems to worry about this in other wikis, so should we?
 


@@ -193,3 +190,7 @@ would still be possible to use this attack to confuse ikiwiki into
 rendering the wrong thing. This is not currently possible, but must be kept
 in mind in the future when for example adding support for generating html
 pages from source with some other extension.
 rendering the wrong thing. This is not currently possible, but must be kept
 in mind in the future when for example adding support for generating html
 pages from source with some other extension.

+
+## XSS attacks in page content
+
+ikiwiki supports [[HtmlSanitistion]], though it can be turned off.

diff --git a/doc/setup.mdwn b/doc/setup.mdwn
index 29ce068b81aa7a62b2b758e59d4aaa0878904812..818335257f1a9eec1cc8dad36d83821d4ecbbc66 100644 (file)
--- a/doc/setup.mdwn
+++ b/doc/setup.mdwn
@@ -9,7 +9,7 @@ optional support for commits from the web.
    Ikiwiki requires [[MarkDown]] be installed, and also uses the following
    perl modules: `CGI::Session` `CGI::FormBuilder` (version 3.02.02 or
    newer) `HTML::Template` `Mail::SendMail` `Time::Duration` `Date::Parse`
    Ikiwiki requires [[MarkDown]] be installed, and also uses the following
    perl modules: `CGI::Session` `CGI::FormBuilder` (version 3.02.02 or
    newer) `HTML::Template` `Mail::SendMail` `Time::Duration` `Date::Parse`

-   (libtimedate-perl)
+   (libtimedate-perl), `HTML::Scrubber`

 
 2. Create the subversion repository for your wiki.
 
 
 2. Create the subversion repository for your wiki.
 

diff --git a/doc/todo/1.0_release_blockers.mdwn b/doc/todo/done/1.0_release_blockers.mdwn
similarity index 100%
rename from doc/todo/1.0_release_blockers.mdwn
rename to doc/todo/done/1.0_release_blockers.mdwn

diff --git a/doc/usage.mdwn b/doc/usage.mdwn
index ca805ce3350df747a0dfa531680c662b972de84d..34e6bd1d441786178ba553ebecc606d01345ff75 100644 (file)
--- a/doc/usage.mdwn
+++ b/doc/usage.mdwn
@@ -167,6 +167,11 @@ These options configure the wiki.
   Currently allows locking of any page, other powers may be added later.
   May be specified multiple times for multiple admins.
 
   Currently allows locking of any page, other powers may be added later.
   May be specified multiple times for multiple admins.
 

+* --sanitize
+
+  Enable [[HtmlSanitization]] of wiki content. On by default, disable with
+  --no-sanitize.
+

 * --hyperestraier
 
   Enables use of the [[HyperEstraier]] search engine for full test page
 * --hyperestraier
 
   Enables use of the [[HyperEstraier]] search engine for full test page

diff --git a/ikiwiki b/ikiwiki
index 2dbb42bc483a042d3231685fc57c9ede74bea9d0..2087b1bafec4f6d2020d11f15e0414a02d31c022 100755 (executable)
--- a/ikiwiki
+++ b/ikiwiki
@@ -34,6 +34,7 @@ sub getconfig () { #{{{
                        diffurl => '',
                        anonok => 0,
                        rss => 0,
                        diffurl => '',
                        anonok => 0,
                        rss => 0,

+                       sanitize => 1,

                        rebuild => 0,
                        refresh => 0,
                        getctime => 0,
                        rebuild => 0,
                        refresh => 0,
                        getctime => 0,


@@ -66,6 +67,7 @@ sub getconfig () { #{{{
                        "rss!" => \$config{rss},
                        "cgi!" => \$config{cgi},
                        "notify!" => \$config{notify},
                        "rss!" => \$config{rss},
                        "cgi!" => \$config{cgi},
                        "notify!" => \$config{notify},

+                       "sanitize!" => \$config{sanitize},

                        "url=s" => \$config{url},
                        "cgiurl=s" => \$config{cgiurl},
                        "historyurl=s" => \$config{historyurl},
                        "url=s" => \$config{url},
                        "cgiurl=s" => \$config{cgiurl},
                        "historyurl=s" => \$config{historyurl},