From patchwork Fri Jul 5 02:07:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Axtens X-Patchwork-Id: 1127759 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45fysT0s3Hz9sLt for ; Fri, 5 Jul 2019 12:07:25 +1000 (AEST) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.b="rH8xJ0TY"; dkim-atps=neutral Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 45fysS3x2PzDqdR for ; Fri, 5 Jul 2019 12:07:24 +1000 (AEST) X-Original-To: patchwork@lists.ozlabs.org Delivered-To: patchwork@lists.ozlabs.org Authentication-Results: lists.ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=axtens.net (client-ip=2607:f8b0:4864:20::544; helo=mail-pg1-x544.google.com; envelope-from=dja@axtens.net; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=axtens.net Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=axtens.net header.i=@axtens.net header.b="rH8xJ0TY"; dkim-atps=neutral Received: from mail-pg1-x544.google.com (mail-pg1-x544.google.com [IPv6:2607:f8b0:4864:20::544]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 45fysG6BwJzDqcR for ; Fri, 5 Jul 2019 12:07:13 +1000 (AEST) Received: by mail-pg1-x544.google.com with SMTP id w10so3554353pgj.7 for ; Thu, 04 Jul 2019 19:07:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axtens.net; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=eWV0G1n8KPvXYCy6oiJwwromRAmWNLv7MKCukMOX6WQ=; b=rH8xJ0TY8yq6jHpUgpcLyFi/Gb3Aa7hMO20noCTnnodFuVeJFu84T5J9tbVKghi5iN aO4Ek2bjB9fPooTAYZa7QUozkOfTZmVS4rriy43nylS5jlWmturUeD6xqJuAFsWyri6E /UMOdl0Qt8EN7ujpihME3bTHazy5P3TVX9iI0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=eWV0G1n8KPvXYCy6oiJwwromRAmWNLv7MKCukMOX6WQ=; b=huwEgUGUiF4cAd8T+05nihXGlnadnZDCBYSBiYKr2fhL/OMQ9X5Sp+8jh7HBxZJKIK 353ZnEYKPB0wsTEZVNVpNEUj2y/Z8WHP/4IMUh/ZY5zY9yQs8ouuR7NAkRvCXgrUtk2A nN23hdXYkx2i6nugb/+2KKGo9ecBKiQlXyQWpdq0OjctW8o5BRy7aXazcVXmss0ri7TW OtcQaQTN1wbhEL2isfyR6MRLEoh0BsBzTW4NrkhM64+5jBCzPkEiWT77clDq/rHxO222 O4PX4m69BZGPHigyCxpDx6g94knrK3XPLCXR3NKd+S3qxilJP3L375GRKJIyoVUR9eiv PutQ== X-Gm-Message-State: APjAAAWJaZmivwIFQIPntSfolZFcksmy8+ijYb485BsFxMPM4CH10LOE b7Cx4Z6qCm3+Mq1ymEBjeRyyAguN+HA= X-Google-Smtp-Source: APXvYqySjV1OG30m7E0PXbVvpAijRjm53hUJGAwhyHJ36tvdvylM68QViXTxi+T5lemL2i71ffrKIQ== X-Received: by 2002:a63:a41:: with SMTP id z1mr1609726pgk.290.1562292430150; Thu, 04 Jul 2019 19:07:10 -0700 (PDT) Received: from localhost (ppp167-251-205.static.internode.on.net. [59.167.251.205]) by smtp.gmail.com with ESMTPSA id r6sm5710271pji.0.2019.07.04.19.07.08 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Thu, 04 Jul 2019 19:07:09 -0700 (PDT) From: Daniel Axtens To: patchwork@lists.ozlabs.org Subject: [PATCH 0/2] XSS in Patchwork - CVE-2019-13122 Date: Fri, 5 Jul 2019 12:07:01 +1000 Message-Id: <20190705020703.6656-1-dja@axtens.net> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-BeenThere: patchwork@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Patchwork development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" Andrew Donnellan discovered an XSS via the message-id field. A malicious user could send a patch with a message ID that included a script tag. Because of the quirks of the email RFCs, such a message ID can survive being sent through many mail systems, including Gmail, and be parsed and stored by Patchwork. When a user views a patch detail page for the patch with this message id, the script would be run. This is due to an erroneous mark_safe() in the template tag that renders message IDs. This has been present since v1.1 of upstream Patchwork, but does not affect the FreeDesktop fork. The bug is fixed in patch 1. If you run a patchwork instance, you should apply it immediately. There is also a test patch, patch 2, that you may find helpful. Over the last few days we have disclosed this bug to the admins of patchwork instances that we could identify. We were hoping to give people running instances a few more days but the embargo was accidentally broken early, so we're letting you all know now. I have already applied these patches to the git repository. I have also backported the patches to 2.1 and 2.0, pushed them, and will do a new release of both shortly. Kind regards, Daniel Andrew Donnellan (2): templatetags: Do not mark output of msgid tag as safe tests: Add test for unescaped values in patch detail page patchwork/templatetags/patch.py | 3 ++- patchwork/tests/test_detail.py | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-)