Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filter ascii control chars for backspace #266

Open
sqlalchemy-bot opened this issue Aug 11, 2017 · 5 comments
Open

filter ascii control chars for backspace #266

sqlalchemy-bot opened this issue Aug 11, 2017 · 5 comments

Comments

@sqlalchemy-bot
Copy link

Migrated issue, originally created by jvanasco (@jvanasco)

I've opened a ticket/PR with Markupsafe for this, but wanted to alert Mako on this too as addressing this behavior may be warranted on other filters.

Most Python libraries for form validation or text sanitizing will let ASCII control characters through. If they make it to Mako, they are rendered in the template as-is, and wind up in web browsers as non-printing characters.

That allows a malicious actor to carefully construct a payload such as this:

import y\bose\bm\bi\bt\be\b 

which looks like this on an HTML page:

import yosemite

However all the backspace control characters are in there and will copy/paste into a Python/ruby/etc terminal, where they are interpreted in realtime and become...

import os

If Mako is used as the engine on a coding website or bug reporting system, this introduces a way of tricking users into executing seemingly safe code that is actually malicious.

@sqlalchemy-bot
Copy link
Author

Michael Bayer (@zzzeek) wrote:

did you confirm this for mako ?

@sqlalchemy-bot
Copy link
Author

jvanasco (@jvanasco) wrote:

Yeah. Only the url-encoding filter will escape it, turning \x08 into %08.

here's an illustration:

PRINT_RAW = True
from mako.template import Template
bad_string = 'a\bc'
filters = (None,
           'u',
           'h',
           'x',
           'trim',
           'entity',
           'unicode',
           'decode.utf8',
           'n',
           )
for filter in filters:
    template_string = """%s ${bad_string%s}""" % (filter, '|%s' % filter if filter else '')
    rendered = Template(template_string).render(bad_string=bad_string)
    print "%s escapes \\b: %s" % (filter, False if '\b' in rendered else True)
    if PRINT_RAW:
        print rendered.__repr__()
        print "--"

note that I'm using __repr__() -- the print function will invoke the backspace control on the regular string in a console, and you'd just see c instead of a\x08c.

@sqlalchemy-bot
Copy link
Author

Michael Bayer (@zzzeek) wrote:

i've got no resources to put thought into Mako these days, I've long wanted it to have anew maintainer. What is markupsafe doing?

@sqlalchemy-bot
Copy link
Author

jvanasco (@jvanasco) wrote:

markupsafe has a Ticket+PR-candidate pending (no comment on either yet). if they address it, Mako should be fine via the default html escaping.

A small amount of Python (and other language) projects filter this out on form submission or rendering. I was surprised at how many websites allow this though.

I don't see a need this to be actively addressed in a filter. Perhaps a doc? It really only effects people who use mako in a bug tracker or coding site.

@bourke
Copy link
Member

bourke commented Nov 17, 2021

Noting that the MarkupSafe ticket has been closed without a resolution: pallets/markupsafe#71

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants