[xiph-commits] r15250 - websites/validator.xspf.org

sping at svn.xiph.org sping at svn.xiph.org
Thu Sep 4 08:25:34 PDT 2008 

Author: sping
Date: 2008-09-04 08:25:33 -0700 (Thu, 04 Sep 2008)
New Revision: 15250

Modified:
   websites/validator.xspf.org/check.py
   websites/validator.xspf.org/hello_uri.py
Log:
Fix file:/// vulnerability

Modified: websites/validator.xspf.org/check.py
===================================================================
--- websites/validator.xspf.org/check.py	2008-09-04 14:02:55 UTC (rev 15249)
+++ websites/validator.xspf.org/check.py	2008-09-04 15:25:33 UTC (rev 15250)
@@ -30,6 +30,11 @@
 # -----------------------------------------------------------------------
 # HISTORY
 # -----------------------------------------------------------------------
+# 2008-09-04 -- Sebastian Pipping <webmaster at hartwork.org>
+#
+#   * Fixed: [Security] Accessing local files was pssible
+#              through using file URIs like file:///etc/passwd
+#
 # 2008-08-25 -- Sebastian Pipping <webmaster at hartwork.org>
 #
 #   * Fixed: 'xml:base' attribute now allowed anywhere, was
@@ -58,11 +63,8 @@
 #
 # 2007-09-21 -- Sebastian Pipping <webmaster at hartwork.org>
 #
+#   * Added: RFC 3986 URI validation
 #   * Fixed: Whitespace handling fixes copied over from libSpiff
-#
-# 2007-09-21 -- Sebastian Pipping <webmaster at hartwork.org>
-#
-#   * Added: RFC 3986 URI validation
 #   * Changed: Code re-licensed under LGPLv3 (LGPL-Any before) to be
 #       able to use 4Suite's Apache-licensed URI validation code
 #       (http://www.gnu.org/licenses/lgpl-3.0.html)
@@ -125,7 +127,11 @@
 # SELFBASE = co.co_filename
 
 
+def isSafeDownloadTarget(candidate):
+    schemeOrNone = Uri.GetScheme(candidate)
+    return (schemeOrNone != None) and (schemeOrNone.lower() == "http")
 
+
 print """
 <html lang="en" dir="ltr">
 	<head>
@@ -281,18 +287,21 @@
     elif form.has_key("url"): ### and form.has_key("submitUrl")
         url = form.getlist("url")[0]
 
-        try:
-            file = urllib2.urlopen(url)
-            input = file.read()
-        except ValueError:
-            intro = """<b style="color:red;">Invalid URL.</b><br><br>"""
+        if not isSafeDownloadTarget(url):
+            intro = """<b style="color:red;">Download location not considered safe.<br>Please do <em>not</em> attack this site. Thanks.</b><br><br>"""
+        else:
+            try:
+                file = urllib2.urlopen(url)
+                input = file.read()
+            except ValueError:
+                intro = """<b style="color:red;">Invalid URL.</b><br><br>"""
 
-        except urllib2.URLError:
-            # 404, non-existent host, IPv6 (not supported), ...
-            intro = """<b style="color:red">Could not download from URL.</b><br><br>"""
+            except urllib2.URLError:
+                # 404, non-existent host, IPv6 (not supported), ...
+                intro = """<b style="color:red">Could not download from URL.</b><br><br>"""
 
-        if input != "":
-            intro = "Validating data from URL<br><b><i><a href=\"" + url + "\" class=\"blackLink\">" + url + "</a></i></b><br><br>"
+            if input != "":
+                intro = "Validating data from URL<br><b><i><a href=\"" + url + "\" class=\"blackLink\">" + url + "</a></i></b><br><br>"
 
 
 

Modified: websites/validator.xspf.org/hello_uri.py
===================================================================
--- websites/validator.xspf.org/hello_uri.py	2008-09-04 14:02:55 UTC (rev 15249)
+++ websites/validator.xspf.org/hello_uri.py	2008-09-04 15:25:33 UTC (rev 15250)
@@ -28,13 +28,26 @@
             "sudo apt-get install python-4suite-xml"
     sys.exit(1)
 
+print "Content-Type: text/html"     # HTML is following
+print                               # blank line, end of headers
 
-def checkUri(candidate):
+
+def checkValidity(candidate):
     print "* validUri(\"" + candidate + "\") == " \
-            + str(Uri.MatchesUriRefSyntax(candidate))
+            + str(Uri.MatchesUriRefSyntax(candidate)) + "<br>"
 
+def isSafeDownloadTarget(candidate):
+    schemeOrNone = Uri.GetScheme(candidate)
+    return (schemeOrNone != None) and (schemeOrNone.lower() == "http")
 
-checkUri("http://www.xiph.org/")
-checkUri("abc%20def")
-checkUri("abc def")
+def checkSafety(candidate):
+    print "* safeUri(\"" + candidate + "\") == " \
+            + str(isSafeDownloadTarget(candidate)) + "<br>"
 
+
+checkValidity("http://www.xiph.org/")
+checkValidity("abc%20def")
+checkValidity("abc def")
+
+checkSafety("HTTP://www.example.org/")
+checkSafety("ftp://www.example.org/")

More information about the commits mailing list