Thread: [Pas-dev] css (security)
Status: Beta
Brought to you by:
mortis
Menu
▾
▴
pas-dev
|
From: Mental <me...@ne...> - 2002-05-17 15:31:20
|
Hello. What do we think of dropping tags like SCRIPT,et all from the request inside the RequestHandler? Sure, each page should be doing input validation, but if we prune off malicious code at the source, we win. It could even be configurable. It would make things like this impossible on every page (this should be one long line): http://www.neverlight.com/pas/css.psp?foo=%3Cscript%3Ealert('oops')%3C/script%3E Since I never embed javascript, iframe or any html tags really in query parameters I was considering a couple different aproaches. URL encode all angle brackets. That would make the litteral script print in the page when it retrieves the query parameter. Look for all the malicious tags in the cert advisory re: css from a year or so ago and remove them. That would still let you embed image tags and what not (like on a discussion board), but would filter out 'known malicious' tags. -- Mental (Me...@Ne...) |
|
From: Kyle R . B. <mo...@vo...> - 2002-05-17 15:49:12
|
> What do we think of dropping tags like SCRIPT,et all from the request > inside the RequestHandler? Sure, each page should be doing input > validation, but if we prune off malicious code at the source, we win. It > could even be configurable. > > It would make things like this impossible on every page (this should be > one long line): > > http://www.neverlight.com/pas/css.psp?foo=%3Cscript%3Ealert('oops')%3C/script%3E > > Since I never embed javascript, iframe or any html tags really in query > parameters I was considering a couple different aproaches. > > URL encode all angle brackets. That would make the litteral script print > in the page when it retrieves the query parameter. > > Look for all the malicious tags in the cert advisory re: css from a year > or so ago and remove them. That would still let you embed image tags and > what not (like on a discussion board), but would filter out 'known > malicious' tags. I'm aware of this kind of attack. Are there no possible instances where someone using Pas would actualy use angle brackets? What about if/when we start handling XML? XML-RPC/SOAP? We could have the default error handlers do the html entity encoding on form data so errors don't by default cause these issues. But transparently changing the input data could make developers who are not expecting that extremely frustrated. If we institute a blanket solution we're bound to break something. How about we make it either a filter module, or configurable behavior? How can we determinsiticly say what/where data is allowed to have angle brackets? I'm not sure I can see how we can always do the right thing. I'm afraid we'll do the wrong thing often enough to make using Pas unpleasant. I think I like the idea of either making it a plug-in or a run-time configuration option. It should be documeted in the manuals somewhere... Kyle -- ------------------------------------------------------------------------------ Wisdom and Compassion are inseparable. -- Christmas Humphreys mo...@vo... http://www.voicenet.com/~mortis ------------------------------------------------------------------------------ |
|
From: Mental <me...@ne...> - 2002-05-17 15:59:07
|
On Fri, 2002-05-17 at 11:48, Kyle R . Burton wrote: > I'm aware of this kind of attack. Are there no possible instances where > someone using Pas would actualy use angle brackets? What about if/when > we start handling XML? XML-RPC/SOAP? Yes, but what if you never plan on using that? :) It absolutely should be configurable. Just like the include file datecheck stuff. And it doesnt need to be angle brackets we worry about. We can look for /\<\s*script/ whatever... this is why I'm asking. :) An optional 'block the skript kiddies' filter might be nice. > If we institute a blanket solution we're bound to break something. > Correct. Again, we could have several choices. And hopefully some user contributed filters as well. > How about we make it either a filter module, or configurable behavior? > Yes. > How can we determinsiticly say what/where data is allowed to have angle > brackets? I'm not sure I can see how we can always do the right thing. > I'm afraid we'll do the wrong thing often enough to make using Pas > unpleasant. > I'm afraid you're off on the angle bracket thing. That was only one of my half baked ideas. The other was deterministicly looking for <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> The angle bracket thing was my over simplified method for dealing with them. If developers _want_ to pass these along, then in my mind thats no different than complaining something isnt suid. If you want to disable the safety, fine. But dont complain to me when you shoot yourself in the foot. Thats all. > I think I like the idea of either making it a plug-in or a run-time > configuration option. It should be documeted in the manuals somewhere... > Ok, so a plugin you can optionally turn off that looks for the tags mentioned in the cert advisory (http://www.cert.org/advisories/CA-2000-02.html) then? -- Mental (Me...@Ne...) |
|
From: Kyle R . B. <mo...@vo...> - 2002-05-17 16:05:38
|
> Yes, but what if you never plan on using that? :) True. True. > It absolutely should be configurable. Just like the include file > datecheck stuff. Great. > And it doesnt need to be angle brackets we worry about. We can look for > /\<\s*script/ whatever... this is why I'm asking. :) > > An optional 'block the skript kiddies' filter might be nice. Ah, I wasn't thinking that way. Give the hampster a minute to get the wheel craked all the way up. > Correct. Again, we could have several choices. And hopefully some user > contributed filters as well. That would rock. > I'm afraid you're off on the angle bracket thing. That was only one of > my half baked ideas. The other was deterministicly looking for > <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> > The angle bracket thing was my over simplified method for dealing with > them. I like this. That would be a nice filter to have. This would be an inbound filter for query data correct? I am liking this more and more... > If developers _want_ to pass these along, then in my mind thats no > different than complaining something isnt suid. If you want to disable > the safety, fine. But dont complain to me when you shoot yourself in the > foot. Thats all. Ok, we do it as an optional input filter with the default behavior being set to on. If they turn it off, that's their descision. > Ok, so a plugin you can optionally turn off that looks for the tags > mentioned in the cert advisory > (http://www.cert.org/advisories/CA-2000-02.html) then? +1 You konw if we have this feature, it'll set our product apart from most of the other web development systems out there... Thanks for the idea Jason! Kyle -- ------------------------------------------------------------------------------ Wisdom and Compassion are inseparable. -- Christmas Humphreys mo...@vo... http://www.voicenet.com/~mortis ------------------------------------------------------------------------------ |
|
From: Kyle R . B. <mo...@vo...> - 2002-05-17 16:08:43
|
> > And it doesnt need to be angle brackets we worry about. We can look for
> > /\<\s*script/ whatever... this is why I'm asking. :)
> >
> > An optional 'block the skript kiddies' filter might be nice.
Ok, step 1 should be for you to write up your idea for the filter system
and this first filter implementaiton and put it in the docs directory
for now. Maybe create a proposals subdirectory? We'll keep discussing
the ideas and tweaking them on the mailing list, but putting them down
into a document will make them real.
k
--
------------------------------------------------------------------------------
Wisdom and Compassion are inseparable.
-- Christmas Humphreys
mo...@vo... http://www.voicenet.com/~mortis
------------------------------------------------------------------------------
|
|
From: Mental <me...@ne...> - 2002-05-17 16:16:19
|
On Fri, 2002-05-17 at 12:05, Kyle R . Burton wrote: > > I'm afraid you're off on the angle bracket thing. That was only one of > > my half baked ideas. The other was deterministicly looking for=20 > > <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED> > > The angle bracket thing was my over simplified method for dealing with > > them.=20 >=20 > I like this. That would be a nice filter to have. This would be an > inbound filter for query data correct? I am liking this more and more... >=20 Yes. <snip> > You konw if we have this feature, it'll set our product apart from > most of the other web development systems out there... >=20 >=20 Like dynamic recompilation based on changes to include files? :) > Thanks for the idea Jason! > Dont thank me til you see the code. :/ So far on my TODO is: Postges Episode 1: Make It Go Inbound Request Data: The Inquisition Page Object Metadata Objects: The Recursion of the Page Object Metadata Objects =20 > Kyle >=20 > --=20 >=20 > -------------------------------------------------------------------------= ----- > Wisdom and Compassion are inseparable. > -- Christmas Humphreys > mo...@vo... http://www.voicenet.com/~m= ortis > -------------------------------------------------------------------------= ----- >=20 > _______________________________________________________________ >=20 > Hundreds of nodes, one monster rendering program. > Now that=92s a super model! Visit http://clustering.foundries.sf.net/ > _______________________________________________ > Pas-dev mailing list > Pa...@li... > https://lists.sourceforge.net/lists/listinfo/pas-dev --=20 Mental (Me...@Ne...) |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X