FAQ
I've been using $c->req->uri_for()->as_string() to generate URLs for actions
when I need to switch between schemes (http and https). I've discovered that
this breaks for some malformed requests (using Catalyst 5.7015 on
Apache/2.2.9 (Debian)): if I do this:

telnet myserver 80
GET xxxxxxx HTTP/1.1
Host: myserver

Then $c->req->uri_for('action')->as_string() returns
'myserverxxxxxxx/action'. I wouldn't care much except that I'm required to
pass a security scan which appears to be being done by Nessus. One of the
checks it does is basically this:

telnet myserver 80
GET <IMG%20SRC=\"javascript:alert(cross_site_scripting.nasl);\"> /
HTTP/1.1
Host: myserver

So the returned page includes their XSS test code in any https links because
I generated them from $c->req->uri_for()->as_string(), and so the security
test fails.

I've fixed this by generating the URLs differently
($c->req->uri_for()->host() seems unaffected) so it's not a problem any
more.

I thought a more generic fix might be useful but after a quick look at the
code it's too complex for me to come up with something right now. Hopefully
I can revisit this soon. Meanwhile, this message is intended to get some
relavant keywords into the list archive in case anyone else searches there
and might find it useful.

I'm not currently using Catalyst::Plugin::RequireSSL so I don't know if
that's affected by this. I expect I will discover that soon...

Merlyn Kline

Search Discussions

  • Jonathan Rockway at Feb 20, 2009 at 5:34 pm

    * On Fri, Feb 20 2009, Merlyn Kline wrote:
    One of the checks it does is basically this:

    telnet myserver 80
    GET <IMG%20SRC=\"javascript:alert(cross_site_scripting.nasl);\"> /
    HTTP/1.1
    Host: myserver

    So the returned page includes their XSS test code in any https links because
    I generated them from $c->req->uri_for()->as_string(), and so the security
    test fails.
    The issue is that you need to escape the HTML output, right?

    <IMG SRC="..."> should become, when linkified, <a href="&lt;IMG
    SRC=&quot;...&quot;">.

    If you do that, there's no security problem... although the link is
    useless (which may be a secondary issue to deal with).

    (If the security scanner complains about the escaped form, it's dumb.
    It's not a security problem.)

    Regards,
    Jonathan Rockway

    --
    print just => another => perl => hacker => if $,=$"

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcatalyst @
categoriescatalyst, perl
postedFeb 20, '09 at 5:24p
activeFeb 20, '09 at 5:34p
posts2
users2
websitecatalystframework.org
irc#catalyst

2 users in discussion

Jonathan Rockway: 1 post Merlyn Kline: 1 post

People

Translate

site design / logo © 2021 Grokbase