[tahoe-lafs-trac-stream] [tahoe-lafs] #1143: Double Encoding in HTML in File Names in WUI

tahoe-lafs trac at tahoe-lafs.org
Mon Oct 15 23:31:26 UTC 2012 

#1143: Double Encoding in HTML in File Names in WUI
-----------------------------------+---------------------------
     Reporter:  chrisp             |      Owner:  davidsarah
         Type:  defect             |     Status:  assigned
     Priority:  major              |  Milestone:  1.10.0
    Component:  code-frontend-web  |    Version:  1.7.1
   Resolution:                     |   Keywords:  easy wui html
Launchpad Bug:                     |
-----------------------------------+---------------------------

Old description:

> My file "zumby-bumby ; mail blaggy at mailinator.com < /etc/hosts" in the
> pubgrid root http://pubgrid.tahoe-
> lafs.org/uri/URI%3ADIR2%3Actmtx2awdo4xt77x5xxaz6nyxm%3An5t546ddvd6xlv4v6se6sjympbdbvo7orwizuzl42urm73sxazqa/
> is listed as "zumby-bumby ; mail blaggy at mailinator.com < /etc/hosts"
> in the listing.
>
> That is, the < got converted to < and then that ampersand got
> converted to &. Thus, we end up with &lt;.
>
> HTML entity-encoding is good because it can stop XSS, but be careful: it
> increases the size of memory you have to allocate to handle the request.
> Also, double-encoding is just plain incorrect. Single-encode, and place
> limits on how much memory you will allocate to do the encoding. One way
> to do this is to include input size limits as part of your input
> validation framework.

New description:

 My file "zumby-bumby ; mail blaggy at mailinator.com < /etc/hosts" in the
 pubgrid root http://pubgrid.tahoe-
 lafs.org/uri/URI%3ADIR2%3Actmtx2awdo4xt77x5xxaz6nyxm%3An5t546ddvd6xlv4v6se6sjympbdbvo7orwizuzl42urm73sxazqa/
 is listed as "zumby-bumby ; mail blaggy at mailinator.com < /etc/hosts" in
 the listing.

 That is, the < got converted to < and then that ampersand got converted
 to &. Thus, we end up with &lt;.

 HTML entity-encoding is good because it can stop XSS, but be careful: it
 increases the size of memory you have to allocate to handle the request.
 Also, double-encoding is just plain incorrect. Single-encode, and place
 limits on how much memory you will allocate to do the encoding. One way to
 do this is to include input size limits as part of your input validation
 framework.

--

Comment (by zooko):

 I just used freedomsponsors.org to offer USD 25.00 to whoever fixes this
 issue: http://www.freedomsponsors.org/core/offer/24/double-encoding-in-
 html-in-file-names-in-wui?alert=SPONSOR&c=s

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1143#comment:4>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list