<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Sans Serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks for doing this, I will review after my day job ends. I suppose I need to request a CVE id? Packagers seem to appreciate that. --Steve<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> mapserver-dev [mailto:mapserver-dev-bounces@lists.osgeo.org]
<b>On Behalf Of </b>Even Rouault<br>
<b>Sent:</b> Tuesday, August 08, 2017 4:04 AM<br>
<b>To:</b> mapserver-dev@lists.osgeo.org<br>
<b>Cc:</b> Beste Seymen <besteseymen@sabanciuniv.edu>; Daniel Morissette <dmorissette@mapgears.com><br>
<b>Subject:</b> Re: [mapserver-dev] [mapserver-users] XSS vulnerability on the 'layer' parameter of WMTS (mapcache)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">On lundi 7 août 2017 19:40:58 CEST Even Rouault wrote:<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> On lundi 7 août 2017 12:50:34 CEST Daniel Morissette wrote:<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> > Would it not be sufficient to HTML-encode the values before sending them<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> > out? In this case, the "-->" would become "-->" which would fix the<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> > vulnerability. We use msEncodeHTMLEntities() for this in mapserv:<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> >
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> >
<a href="https://github.com/mapserver/mapserver/blob/branch-7-0/mapstring.c#L1225">
https://github.com/mapserver/mapserver/blob/branch-7-0/mapstring.c#L1225</a><o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> As double hyphen is prohibited inside XML comments for compatiblity reason,<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> I believe we should also (in that context, that alone should be sufficient)<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> escape - as &45; (although entities aren't really "official" inside XML<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> comments, but at least this is valid XML)<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> In other protocols, for example wms, I see the exception is wrapped in a<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> <![CDATA[ bla ]] marker. I guess the reason was to avoid escaping the &<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> entities from the user request. I think the wrapping inside [CDATA[ should<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> be replaced by standard XML escaping ala msEncodeHTMLEntities()<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">>
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> Actually it seems only WMS and WMTS are affected. Other protocols return an<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">> error message as plaintext.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">I've prepared a pull request in line with the above ideas :<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif"><a href="https://github.com/mapserver/mapcache/pull/172">https://github.com/mapserver/mapcache/pull/172</a><o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">Review and testing from others appreciated.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">I'm not completely sure that a XSS vulnerability in a Web browser is possible in the WMS case since the content-type
is application/vnd.ogc.se_xml, which Firefox doesn't understand as XML. Contrary to the WMTS case where the content-type is application/xml. Anyway in the WMS case, the returned document could be invalid XML if injecting appropriate input values, so better
fix it.<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">Even<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-paragraph-type:empty;-qt-block-indent:0">
<span style="font-size:9.0pt;font-family:"Sans Serif",serif"> <o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">--
<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif">Spatialys - Geospatial professional services<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;-qt-block-indent:0;-qt-user-state:0"><span style="font-size:9.0pt;font-family:"Sans Serif",serif"><a href="http://www.spatialys.com">http://www.spatialys.com</a><o:p></o:p></span></p>
</div>
</body>
</html>