[Building Sakai] Question on XSS URL cleaning

Kirschner, Beth bkirschn at umich.edu
Tue Feb 4 12:55:00 PST 2014 

On Feb 4, 2014, at 3:00 PM, Noah Botimer <botimer at umich.edu> wrote:

> I think there are two separate issues here:
> 
> 1. The download URL generation seems to have broken if the stuff after /repository does not have "?" before the query parameters. By my reckoning, adding it will fix the download.
> 
That was my initial thought as well, and this does need to be fixed, but I don't think this is the problem.

The org.sakaiproject.portal.util.URLUtils.getSafePathInfo() method truncates the URL if it has an ampersand. So if the ampersand is there to separate URL query parameters or to encode special characters, it will be truncated. That doesn't seem right, and my initial thought was to remove the ampersand from the naughty list, but am looking to see if there's something I'm missing.

- Beth

> 2. Simply put, any input from the user emitted as (part of) a URL needs to be URL-encoded. If that's not happening somewhere, it's a bug. Anything more exotic or specialized is a probable bug.
> 
> Thanks,
> -Noah
> 
> On Feb 4, 2014, at 2:13 PM, Kirschner, Beth wrote:
> 
>> In SAK-23859, we added code to remove one possible XSS attack, but truncating URLs with the following characters:  \"'<>&
>> Unfortunately this also broke the OSP matrix download feature (SAK-25500), which generates URLs which look like this:
>> 	/tool/f6af4350-9b92-4c82-9db6-b298bcea9570/repository/1=1&1=1&manager=matrixManager&scaffoldingId=F16CB84C6AC085CB7FA3C4608FA937C8/test-1.zip
>> 
>> Does anyone know why the ampersand ('&') character is considered naughty? Is the concern that it could be used to encode and hide other naughty characters? If that's the case, I can change the code to clean out encoded characters (e.g. "&nn;"), but leave singleton ampersands alone.
>> 
>> Thoughts?
>> - Beth
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> 
>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>

More information about the sakai-dev mailing list