html/template: user-supplied escapers can undermine contextual auto-escaping #19336
Comments
|
One way to fix this behavior is to do away with the escaper-merging behavior, and delete existing escapers from the pipeline if they are equivalent to any of the inserted escapers. For example, the following pipeline: should be rewritten as Since Caveat: This change will break existing html/template users who rely on this implied escaper-merging behavior. However, this security issue probably justifies this compatibility breakage. This change will only affect potentially insecure templates (i.e. templates whose rewritten pipelines do not end with the inserted escapers). |
|
After finding several other bugs associated with this escaper-merging logic, I think the best and simplest way to solve this would be to remove all user-supplied escapers (i.e. |
ALTree
added
the
NeedsInvestigation
|
CL https://golang.org/cl/37880 mentions this issue. |
…ring rewriting Report an error if a predefined escaper (i.e. "html", "urlquery", or "js") is found in a pipeline that will be rewritten by the contextual auto-escaper, instead of trying to merge the escaper-inserted escaping directives with these predefined escapers. This merging behavior is a source of several security and correctness bugs (eee golang#19336, golang#19345, golang#19352, and golang#19353.) This merging logic was originally intended to ease migration of text/template templates with user-defined escapers to html/template. Now that migration is no longer an issue, this logic can be safely removed. NOTE: this is a backward-incompatible change that fixes known security bugs (see linked issues for more details). It will explicitly break users that attempt to execute templates with pipelines containing predefined escapers. Fixes golang#19336, golang#19345, golang#19352, golang#19353 Change-Id: I46b0ca8a2809d179c13c0d4f42b63126ed1c3b49 Reviewed-on: https://go-review.googlesource.com/37880 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
version: go version devel +4cce27a3fa Sat Jan 21 03:20:55 2017 +0000 linux/amd64
env: linux amd64
html/template rewrites pipelines and adds calls to the escaping functions necessary to correctly and safely embed the output of these pipelines in their HTML contexts. For example, the following pipeline:
is rewritten as
by the html/template escaper, where
formatAsLinkis the name of a user-defined function, and the rest of the_html_*names are names of internally-defined escapers.However, if the pipeline already contains any of the predefined escaper functions (i.e.
htmlorurlquery), and some of the escapers-to-be-inserted are considered equivalent, the html/template escaper will attempt to merge the inserted escapers with the existing predefined escapers, in order. For example,is rewritten as
since
_html_template_nospaceescaperandhtmlare considered equivalent, and the escaper preserves the order of the escaping operations (i.e. URL escaping first, then HTML escaping). However, in this example, the user-definedformatAsLinkfunction determines the final output of the pipeline. IfformatAsLinkcontains a bug that causes it to emit an unsafe URL, the rendered HTML will be vulnerable to Cross-Site Scripting (XSS).In general, users can shoot themselves in the foot if they manually escape their pipelines with
htmlorurlquerybecause of this escaper-merging behavior. This behavior should either be explicitly documented or changed.The text was updated successfully, but these errors were encountered: