Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

strconv: add HTML quoting for string returned by strconv.ParseInt error #13127

Closed
ianlancetaylor opened this issue Nov 2, 2015 · 7 comments
Closed

strconv: add HTML quoting for string returned by strconv.ParseInt error #13127

ianlancetaylor opened this issue Nov 2, 2015 · 7 comments
Labels
FrozenDueToAge
Milestone
Go1.6

Comments

@ianlancetaylor
Copy link
Contributor

We have a report of a potential XSS vulnerability due to code that does, effectively, this:

num, err := strconv.Atoi(r.URL.Query().Get("field"))
    if err != nil {
        http.Error(w, err.Error(), http.StatusBadRequest)
}

The issue is that strconv.Atoi and friends return the string they are trying to parse as part of the error value, and it is included in the err.Error string. http.Error adds headers that are intended to ensure that returned page is not interpreted as HTML, but reportedly some HTML readers ignore these options.

Perhaps this kind of code should be more careful, or perhaps strconv.ParseInt should not return the input in the error message, or perhaps HTML readers should not be buggy. But we are where we are. We don't necessarily have to change anything in the Go library, but it occurs to me that there is one relatively simple way to help code vulnerable to this sort of attack: quote all non-ASCII characters in the error message, and also quote any angle brackets. Since these characters can not reasonably appear in strings passed to strconv.Atoi and friends, this doesn't seem like a significant handicap, and should fit within the Go 1 compatibility guarantee.

I have a CL for this that I will send out. I've opened this issue for discussion in case people think this change might be unwise or unwarranted.
@ianlancetaylor ianlancetaylor self-assigned this Nov 2, 2015
@ianlancetaylor ianlancetaylor added this to the Go1.6 milestone Nov 2, 2015
@mdempsky
Copy link
Member

mdempsky commented Nov 2, 2015

It seems unfortunate for strconv to need to know about HTML escaping, and not all strconv errors will be output into an HTML relevant context (e.g., console/log output). It also punishes users who do proper HTML escaping already, because their error messages will be double escaped.

Does the report specify which HTML readers are vulnerable?

@DisposaBoy
Copy link

http.Error adds headers that are intended to ensure that returned page is not interpreted as HTML, but reportedly some HTML readers ignore these options.

If I understood the issue correctly, in this case, the client is broken and I don't think there's anything the server can reasonably do to fix that.
It's no different than if the server intentionally outputs

Content-Type: text/plain...
...
example code <script>alert('hello world')</script>

IMO, any code that dumps undefined internal state like error messages is broken and trying to be helpful is only going to mask the problem.

I also think that this would potentially make the error message useless because it would no longer report what it actually failed to parse (I input < and it complains about &lt;)

@gopherbot
Copy link

CL https://golang.org/cl/16538 mentions this issue.

@bradfitz
Copy link
Contributor

bradfitz commented Nov 2, 2015

I'm opposed to changing anything.

@ianlancetaylor
Copy link
Contributor Author

@mdempsky I agree that clearly strconv.ParseInt should not have to care about HTML quoting. In retrospect I think it was probably a mistake for the error returned by ParseInt to include the input string. That should have been left up to the caller, not made the default.

I am not worried about callers who do proper HTML quoting, because no normal input to ParseInt is going to include angle brackets anyhow. In any case, with my proposed change the error message simply won't contain any angle brackets, so any extra quoting done by the caller will most likely have no effect.

The report was for people using flash and Adobe reader plugins to Internet Explorer.

@DisposaBoy Yes, of course the HTML reader is broken. That is not in dispute here. The error message is already quoted using strconv.Quote, so in my opinion adding some additional quoting will do little harm.

@mdempsky
Copy link
Member

mdempsky commented Nov 2, 2015

To clarify, by "HTML escaping" I thought you were proposing that < and > would be replaced by &lt; and &gt;, which I'd be opposed to.

I see that strconv already does Go-style string literal escaping in error messages (e.g., " -> \"), and I think applying that sort of escaping to < and > (like in your CL) is okay, though unfortunate.

@rsc
Copy link
Contributor

rsc commented Nov 4, 2015

There's no reason strconv is exceptional here. Unless we're going to change every Error method in the entire code base, surely the fix belongs somewhere else. I filed #13150.

@rsc rsc closed this as completed Nov 4, 2015
@golang golang locked and limited conversation to collaborators Nov 4, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.6
Development

No branches or pull requests
6 participants
@bradfitz @mdempsky @rsc @DisposaBoy @ianlancetaylor @gopherbot