From: SourceForge.net <no...@so...> - 2007-11-28 09:37:42
|
Bugs item #1840139, was opened at 2007-11-28 01:27 Message generated for change (Comment added) made by nobody You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=115494&aid=1840139&group_id=15494 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: Yes Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Cross-site scripting vulnerabilities in image map code Initial Comment: The JFreeChart image map code contains cross-site scripting vulnerabilities due to its lack of escaping chart titles, series names, etc. The attached diff (made against JFreeChart 1.0.6) contains a fix for the issues we have identified, although we have not made a systematic audit of the entire JFreeChart/JCommon code base to identify other possible problems. The attached diff assumes that a function in JCommon's org.jfree.util.StringUtils will be created with the following signature: public static String htmlEscape(String input) { ... } Unfortunately our policies prohibit us from releasing our own source code under GPL/LGPL, or we would provide you with an escaping function. However, such functions are fairly easy to write and many GPL implementations of them can be found on the web. We have submitted this vulnerability via your sourceforge bug tracker system and we have marked it as private. NOTE: Our standard vulnerability disclosure policy is to post a public announcement of the vulnerabilities no later than 30 days from the date we notify a vendor, which in this case will mean no later than December 28th 2007. We would like to work the JFreeChart team so that our publication of our findings coincides with your release of a new fixed version of JFreeChart, assuming you can do this on or before December 28th. Please respond to cha...@ra... with any questions or concerns. Thank you. ---------------------------------------------------------------------- Comment By: Nobody/Anonymous (nobody) Date: 2007-11-28 01:37 Message: Logged In: NO I think you may be able to use org.jfree.xml.writer.XMLWriterSupport.normalize, although you need to update this to safely handle a wider range of characters. IMHO the absolute safest way to do this would be to use the normal escapes and then handle anything outside of a certain well-known range using numeric escapes of the style &#ddd; Given a char c and a StringBuffer sb, something along these lines should be fairly safe even for Unicode: switch (c) case '&': // handle this with & case '<': // handle this with < case '>': // handle this with > case '\'': // handle this with ' (note that "'" is not valid in XML, only in HTML) case '"': // handle this with " default: // everything else, be conservative int num = c; if (num < 32 || num > 126) { sb.append("&#"); sb.append(Integer.toString(num)); sb.append(";"); } ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=115494&aid=1840139&group_id=15494 |