Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-35603: Escape table header of make_table output that can cause potential XSS #11341

Merged
merged 3 commits into from
Dec 29, 2018
Merged

bpo-35603: Escape table header of make_table output that can cause potential XSS #11341

merged 3 commits into from
Dec 29, 2018

Conversation

tirkarthi
Copy link
Member

@tirkarthi tirkarthi commented Dec 28, 2018
edited by bedevere-bot
Loading

  • fromdesc and todesc should be escaped since rendering unescaped HTML might lead to code execution in the browser rendering them as tags.

https://bugs.python.org/issue35603

serhiy-storchaka
serhiy-storchaka reviewed Dec 28, 2018
View reviewed changes
Lib/difflib.py
@@ -2036,6 +2036,10 @@ def make_table(self,fromlines,tolines,fromdesc='',todesc='',context=False,
s.append( fmt % (next_id[i],next_href[i],fromlist[i],
next_href[i],tolist[i]))
if fromdesc or todesc:
fromdesc = fromdesc.replace("&", "&").replace(">", ">") \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use html.escape()?

Copy link
Member Author

@tirkarthi tirkarthi Dec 28, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about the same but text which was encoded was using the logic inlined and there was some discussion in the issue about just inlining the logic to avoid dependency at https://bugs.python.org/issue914575#msg45518 which I realize now is about xml.sax and not html.

html module was also importing entities at

cpython/Lib/html/__init__.py

Line 6 in c465682

from html.entities import html5 as _html5
that seemed little import heavy for me. But if it's okay to import html then I think it's good to use html.escape across the module to avoid duplicate code.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, for a bug fix we can keep an inlined code and consider using html.escape() in a separate issue.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, thanks for the review.

serhiy-storchaka
serhiy-storchaka approved these changes Dec 28, 2018
View reviewed changes
Lib/difflib.py
@@ -2036,6 +2036,10 @@ def make_table(self,fromlines,tolines,fromdesc='',todesc='',context=False,
s.append( fmt % (next_id[i],next_href[i],fromlist[i],
next_href[i],tolist[i]))
if fromdesc or todesc:
fromdesc = fromdesc.replace("&", "&").replace(">", ">") \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, for a bug fix we can keep an inlined code and consider using html.escape() in a separate issue.

@serhiy-storchaka serhiy-storchaka added type-bug An unexpected behavior, bug, or error needs backport to 3.7 type-security A security issue labels Dec 28, 2018
@serhiy-storchaka serhiy-storchaka merged commit 78de011 into python:master Dec 29, 2018
@miss-islington
Copy link
Contributor

Thanks @tirkarthi for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

@bedevere-bot
Copy link

GH-11353 is a backport of this pull request to the 3.7 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Dec 29, 2018
@tirkarthi @miss-islington
bpo-35603: Escape table header of make_table output that can cause po…
43fa0e9 
…tential XSS. (pythonGH-11341)

(cherry picked from commit 78de011)

Co-authored-by: Xtreak <tir.karthi@gmail.com>
@bedevere-bot
Copy link

GH-11354 is a backport of this pull request to the 3.6 branch.

miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Dec 29, 2018
@tirkarthi @miss-islington
bpo-35603: Escape table header of make_table output that can cause po…
280c53a 
…tential XSS. (pythonGH-11341)

(cherry picked from commit 78de011)

Co-authored-by: Xtreak <tir.karthi@gmail.com>
serhiy-storchaka added a commit that referenced this pull request Dec 29, 2018
@serhiy-storchaka
Revert "bpo-35603: Escape table header of make_table output that can …
13514f5 
…cause potential XSS. (GH-11341)"

This reverts commit 78de011.
@serhiy-storchaka serhiy-storchaka mentioned this pull request Dec 29, 2018
Merged
serhiy-storchaka added a commit that referenced this pull request Jan 2, 2019
@serhiy-storchaka
Revert "bpo-35603: Escape table header of make_table output that can …
830ddc7 
…cause potential XSS. (GH-11341)" (GH-11356)

This reverts commit 78de011.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serhiy-storchaka serhiy-storchaka serhiy-storchaka approved these changes

Assignees
No one assigned
Labels
type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tirkarthi @miss-islington @bedevere-bot @serhiy-storchaka @the-knights-who-say-ni