[dev] [cvs] commit: ansel edit_dates.php map_edit.php ansel/gallery sort.php ansel/lib Ansel.php Faces.php ansel/lib/Block gallery.php random_photo.php ansel/lib/Tile DateGallery.php Gallery.php ansel/lib/Views Image.php ansel/lib/Widget Actions.php Geodata.php ...

Jan Schneider jan at horde.org
Sun Jul 12 15:30:45 UTC 2009


Zitat von Michael Rubinsky <mrubinsk at horde.org>:

>
> Quoting Jan Schneider <jan at horde.org>:
>
>> This opens all kind of XSS holes.
>
> I'm not quite sure I see why. IIRC, these are all image tags whose  
> src is generated with Ansel::getImageUrl() - which must have a valid  
> image id or it fails.  Even when doing this via the Horde::img()  
> method, the src attribute is never escaped anyway, so unless I'm  
> missing something, this is identical to calling Horde::img() in that  
> respect.
>
> I have no problem reverting this back to using Horde::img though,  
> but will wait for Michael S. to get in on the discussion since this  
> was done at his request.

It's not the src attributes but the unescaped alt/title attributes  
that partially contain user contributed data.

>> Zitat von Michael Rubinsky <mike at theupstairsroom.com>:
>>
>>> mrubinsk    2009-06-30 11:48:11 EDT
>>>
>>> Modified files:        (Branch: FRAMEWORK_3)
>>>   .                    edit_dates.php map_edit.php
>>>   gallery              sort.php
>>>   lib                  Ansel.php Faces.php
>>>   lib/Block            gallery.php random_photo.php
>>>   lib/Tile             DateGallery.php Gallery.php
>>>   lib/Views            Image.php
>>>   lib/Widget           Actions.php Geodata.php
>>>   templates/captions   captions.inc
>>>   templates/image      crop_image.inc edit_image.inc
>>>                        preview_cropimage.inc preview_image.inc
>>>                        resize_image.inc
>>>   templates/rss        rss.inc rss2.inc
>>>   templates/tile       image.inc
>>>   templates/view       image.inc
>>> Log:
>>> MFH: Don't use Horde::img() as a shortcut for generating <img> tags
>>>
>>> 1.6       +2 -2      ansel/edit_dates.php
>>> 1.27      +5 -5      ansel/gallery/sort.php
>>> 1.602     +2 -3      ansel/lib/Ansel.php
>>> 1.51      +2 -4      ansel/lib/Block/gallery.php
>>> 1.37      +2 -3      ansel/lib/Block/random_photo.php
>>> 1.26      +4 -5      ansel/lib/Faces.php
>>> 1.12      +3 -5      ansel/lib/Tile/DateGallery.php
>>> 1.39      +2 -2      ansel/lib/Tile/Gallery.php
>>> 1.83      +2 -2      ansel/lib/Views/Image.php
>>> 1.51      +2 -2      ansel/lib/Widget/Actions.php
>>> 1.37      +2 -2      ansel/lib/Widget/Geodata.php
>>> 1.13      +2 -2      ansel/map_edit.php
>>> 1.27      +1 -1      ansel/templates/captions/captions.inc
>>> 1.11      +1 -1      ansel/templates/image/crop_image.inc
>>> 1.54      +1 -1      ansel/templates/image/edit_image.inc
>>> 1.5       +1 -1      ansel/templates/image/preview_cropimage.inc
>>> 1.29      +1 -1      ansel/templates/image/preview_image.inc
>>> 1.10      +1 -1      ansel/templates/image/resize_image.inc
>>> 1.4       +1 -1      ansel/templates/rss/rss.inc
>>> 1.7       +1 -1      ansel/templates/rss/rss2.inc
>>> 1.31      +2 -2      ansel/templates/tile/image.inc
>>> 1.96      +10 -13    ansel/templates/view/image.inc
>>>
>>> Revision    Changes    Path
>>> 1.2.2.5     +2 -2      ansel/edit_dates.php
>>> 1.23.2.3    +5 -5      ansel/gallery/sort.php
>>> 1.517.2.58  +2 -3      ansel/lib/Ansel.php
>>> 1.45.2.6    +2 -4      ansel/lib/Block/gallery.php
>>> 1.35.2.2    +2 -3      ansel/lib/Block/random_photo.php
>>> 1.18.2.5    +4 -5      ansel/lib/Faces.php
>>> 1.7.2.3     +3 -5      ansel/lib/Tile/DateGallery.php
>>> 1.36.2.2    +2 -2      ansel/lib/Tile/Gallery.php
>>> 1.68.2.13   +2 -2      ansel/lib/Views/Image.php
>>> 1.26.2.25   +2 -2      ansel/lib/Widget/Actions.php
>>> 1.1.2.22    +2 -2      ansel/lib/Widget/Geodata.php
>>> 1.1.2.13    +2 -2      ansel/map_edit.php
>>> 1.24.2.1    +1 -1      ansel/templates/captions/captions.inc
>>> 1.8.2.1     +1 -1      ansel/templates/image/crop_image.inc
>>> 1.51.2.1    +1 -1      ansel/templates/image/edit_image.inc
>>> 1.2.2.1     +1 -1      ansel/templates/image/preview_cropimage.inc
>>> 1.26.2.1    +1 -1      ansel/templates/image/preview_image.inc
>>> 1.7.2.1     +1 -1      ansel/templates/image/resize_image.inc
>>> 1.3.2.1     +1 -1      ansel/templates/rss/rss.inc
>>> 1.6.2.1     +1 -1      ansel/templates/rss/rss2.inc
>>> 1.29.2.1    +2 -2      ansel/templates/tile/image.inc
>>> 1.86.2.8    +10 -13    ansel/templates/view/image.inc
>>>
>>> Chora Links:
>>>   
>>> http://cvs.horde.org/diff.php/ansel/edit_dates.php?rt=horde&r1=1.2.2.4&r2=1.2.2.5&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/gallery/sort.php?rt=horde&r1=1.23.2.2&r2=1.23.2.3&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Ansel.php?rt=horde&r1=1.517.2.57&r2=1.517.2.58&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Block/gallery.php?rt=horde&r1=1.45.2.5&r2=1.45.2.6&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Block/random_photo.php?rt=horde&r1=1.35.2.1&r2=1.35.2.2&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Faces.php?rt=horde&r1=1.18.2.4&r2=1.18.2.5&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Tile/DateGallery.php?rt=horde&r1=1.7.2.2&r2=1.7.2.3&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Tile/Gallery.php?rt=horde&r1=1.36.2.1&r2=1.36.2.2&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Views/Image.php?rt=horde&r1=1.68.2.12&r2=1.68.2.13&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Widget/Actions.php?rt=horde&r1=1.26.2.24&r2=1.26.2.25&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/lib/Widget/Geodata.php?rt=horde&r1=1.1.2.21&r2=1.1.2.22&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/map_edit.php?rt=horde&r1=1.1.2.12&r2=1.1.2.13&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/captions/captions.inc?rt=horde&r1=1.24&r2=1.24.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/image/crop_image.inc?rt=horde&r1=1.8&r2=1.8.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/image/edit_image.inc?rt=horde&r1=1.51&r2=1.51.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/image/preview_cropimage.inc?rt=horde&r1=1.2&r2=1.2.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/image/preview_image.inc?rt=horde&r1=1.26&r2=1.26.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/image/resize_image.inc?rt=horde&r1=1.7&r2=1.7.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/rss/rss.inc?rt=horde&r1=1.3&r2=1.3.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/rss/rss2.inc?rt=horde&r1=1.6&r2=1.6.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/tile/image.inc?rt=horde&r1=1.29&r2=1.29.2.1&ty=u
>>>   
>>> http://cvs.horde.org/diff.php/ansel/templates/view/image.inc?rt=horde&r1=1.86.2.7&r2=1.86.2.8&ty=u
>>>
>>> --
>>> To unsubscribe, mail: cvs-unsubscribe at lists.horde.org
>>>
>>
>>
>>
>> Jan.
>>
>> -- 
>> Do you need professional PHP or Horde consulting?
>> http://horde.org/consulting/
>>
>
>
>
> Thanks,
> mike
>
> --
> The Horde Project (www.horde.org)
> mrubinsk at horde.org
>
> "Time just hates me. That's why it made me an adult." - Josh Joplin
>
> --
> Horde developers mailing list - Join the hunt: http://horde.org/bounties/
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: dev-unsubscribe at lists.horde.org
>



Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.horde.org/archives/dev/attachments/20090712/2235f32f/attachment-0001.bin>


More information about the dev mailing list