html/template: base64 html images in image tag are unsafe #20536

azr · 2017-05-31T10:50:45Z

Hello there

Is there a way to print that image ? Is normal that it is unsafe ?

What did you do?

https://play.golang.org/p/dOQHc3Y-n8

package main

import "os"
import "html/template"

func main() {
	img := `data:image/gif;base64,R0lGODlhGAAYALMPACAgLLW1w5WLp3lvjEdDWa+nwWRed87M4Fxdae/w/9LT4T8/S5eYpXl5h////////yH5BAEAAA8ALAAAAAAYABgAAASH8MlJq700qBPYwuCTOI7CACHGKAUCoOnFBA0cW0wS2DeVnz2ciRdsKGiAT1CSM9WWD2OJ0WgoewySjnqNIUYOXdXa+yYUiipD0A0hFImzml1WhNONdRv0JuEbdDd9JWOBMQt2hGN7GAsrR2pkN44MlQgIBAiMFwsDngMGBAQLmxeXVaSkUEsRADs= `

	var ImageTemplate string = `<img src="{{.}}">
{{.}}`

	template.Must(template.New("name").Parse(ImageTemplate)).Execute(os.Stdout, img)

}

What did you expect to see?

A bottle icon !

<img src="data:image/gif;base64,R0lGODlhGAAYALMPACAgLLW1w5WLp3lvjEdDWa+nwWRed87M4Fxdae/w/9LT4T8/S5eYpXl5h////////yH5BAEAAA8ALAAAAAAYABgAAASH8MlJq700qBPYwuCTOI7CACHGKAUCoOnFBA0cW0wS2DeVnz2ciRdsKGiAT1CSM9WWD2OJ0WgoewySjnqNIUYOXdXa+yYUiipD0A0hFImzml1WhNONdRv0JuEbdDd9JWOBMQt2hGN7GAsrR2pkN44MlQgIBAiMFwsDngMGBAQLmxeXVaSkUEsRADs= ">
data:image/gif;base64,R0lGODlhGAAYALMPACAgLLW1w5WLp3lvjEdDWa+nwWRed87M4Fxdae/w/9LT4T8/S5eYpXl5h////////yH5BAEAAA8ALAAAAAAYABgAAASH8MlJq700qBPYwuCTOI7CACHGKAUCoOnFBA0cW0wS2DeVnz2ciRdsKGiAT1CSM9WWD2OJ0WgoewySjnqNIUYOXdXa+yYUiipD0A0hFImzml1WhNONdRv0JuEbdDd9JWOBMQt2hGN7GAsrR2pkN44MlQgIBAiMFwsDngMGBAQLmxeXVaSkUEsRADs=

What did you see instead?

<img src="#ZgotmplZ">
data:image/gif;base64,R0lGODlhGAAYALMPACAgLLW1w5WLp3lvjEdDWa+nwWRed87M4Fxdae/w/9LT4T8/S5eYpXl5h////////yH5BAEAAA8ALAAAAAAYABgAAASH8MlJq700qBPYwuCTOI7CACHGKAUCoOnFBA0cW0wS2DeVnz2ciRdsKGiAT1CSM9WWD2OJ0WgoewySjnqNIUYOXdXa+yYUiipD0A0hFImzml1WhNONdRv0JuEbdDd9JWOBMQt2hGN7GAsrR2pkN44MlQgIBAiMFwsDngMGBAQLmxeXVaSkUEsRADs=

Thoughts

I also tried with template.URLQueryEscaper, navigator doesnt get string as an image and template.HTMLEscapeString gets me the #ZgotmplZ

System details

go version go1.8.3 darwin/amd64
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/azr/go"
GORACE=""
GOROOT="/usr/local/Cellar/go/1.8.3/libexec"
GOTOOLDIR="/usr/local/Cellar/go/1.8.3/libexec/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/sq/zw92_59n6q9fvh0bw99jkfnw0000gn/T/go-build365313874=/tmp/go-build -gno-record-gcc-switches -fno-common"
CXX="clang++"
CGO_ENABLED="1"
PKG_CONFIG="pkg-config"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
GOROOT/bin/go version: go version go1.8.3 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.8.3 X:framepointer
uname -v: Darwin Kernel Version 16.5.0: Fri Mar  3 16:52:33 PST 2017; root:xnu-3789.51.2~3/RELEASE_X86_64
ProductName:	Mac OS X
ProductVersion:	10.12.4
BuildVersion:	16E195
lldb --version: lldb-370.0.42
  Swift-3.1
gdb --version: GNU gdb (GDB) 7.12.1

The text was updated successfully, but these errors were encountered:

azr · 2017-05-31T11:20:58Z

Also when I use <img covfefe="{{.}}"> the correct content is displayed, so I can have a js parser that does some little magic

ianlancetaylor · 2017-05-31T14:09:21Z

This is working as intended. It's not the base64 that is unsafe, it is the "data:" URL. If img were a user-supplied string, the data: URL could be anything. It works with covfefe because covfefe does not expect a URL.

Closing. Please comment if you disagree.

azr · 2017-05-31T14:20:36Z

Howdy, okay, I just read this: https://html5sec.org/ , got it: if we do <embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed> then ppl can arbitrarily execute code.

But shouldn't it be that data:text/html is dangerous and not data:image/* ?

Edit: may be also data:image/svg is dangerous

azr · 2017-06-04T14:26:42Z

What do you think @ianlancetaylor ?

azr · 2017-06-21T10:42:09Z

Bump @ianlancetaylor . It seems I'm reaching your spams.
I'll make another issue to re-start the discussion soon then.

ianlancetaylor · 2017-06-21T21:06:23Z

Sorry, reopening. Offhand I don't know the answer to your question. Is there a real problem here, or is this just theoretical?

CC @stjj89

stjj89 · 2017-06-21T21:43:35Z

But shouldn't it be that data:text/html is dangerous and not data:image/* ?

Edit: may be also data:image/svg is dangerous

Right, certain media MIME types (e.g. data:image/* and data:video/*) are probably safe. However, html/template's URL filter is conservative by design, and accepts only the http, https, and mailto schemes.

You can get around the URL filter by passing your URL to html/template as a template.URL rather than a plain string. This tells html/template that your URL is known to be safe, and therefore does not need to be filtered. See example at https://play.golang.org/p/cSORJiFSdI.

azr · 2017-06-21T23:21:27Z

Ah okay thanks @stjj89 , so I guess making data:image/* and data:video/* 'safe' will never happen ?
The source is not that trusted but if I double check input all should be safe enough, thanks again people for the answers.

ianlancetaylor · 2017-06-22T00:51:45Z

Closing since it seems there is nothing to do.

azr · 2017-06-22T20:08:44Z

"A good issue is a closed issue"
- ianlancetaylor

😆

stjj89 · 2017-06-22T20:18:14Z

Ah okay thanks @stjj89 , so I guess making data:image/* and data:video/* 'safe' will never happen ?
The source is not that trusted but if I double check input all should be safe enough, thanks again people for the answers.

I think it generally pays to remain conservative about our assumptions, but we could consider this in the future if enough users are running into this issue.

ianlancetaylor closed this as completed May 31, 2017

ianlancetaylor reopened this Jun 21, 2017

ianlancetaylor closed this as completed Jun 22, 2017

golang locked and limited conversation to collaborators Jun 22, 2018

gopherbot added the FrozenDueToAge label Jun 22, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

html/template: base64 html images in image tag are unsafe #20536

html/template: base64 html images in image tag are unsafe #20536

azr commented May 31, 2017 •

edited

azr commented May 31, 2017

ianlancetaylor commented May 31, 2017

azr commented May 31, 2017 •

edited

azr commented Jun 4, 2017

azr commented Jun 21, 2017 •

edited

ianlancetaylor commented Jun 21, 2017

stjj89 commented Jun 21, 2017

azr commented Jun 21, 2017 •

edited

ianlancetaylor commented Jun 22, 2017

azr commented Jun 22, 2017

stjj89 commented Jun 22, 2017

html/template: base64 html images in image tag are unsafe #20536

html/template: base64 html images in image tag are unsafe #20536

Comments

azr commented May 31, 2017 • edited

What did you do?

What did you expect to see?

What did you see instead?

Thoughts

System details

azr commented May 31, 2017

ianlancetaylor commented May 31, 2017

azr commented May 31, 2017 • edited

azr commented Jun 4, 2017

azr commented Jun 21, 2017 • edited

ianlancetaylor commented Jun 21, 2017

stjj89 commented Jun 21, 2017

azr commented Jun 21, 2017 • edited

ianlancetaylor commented Jun 22, 2017

azr commented Jun 22, 2017

stjj89 commented Jun 22, 2017

azr commented May 31, 2017 •

edited

azr commented May 31, 2017 •

edited

azr commented Jun 21, 2017 •

edited

azr commented Jun 21, 2017 •

edited