Skip to content

XSS CVE-2017-15612 #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 26, 2017
Merged

XSS CVE-2017-15612 #140

merged 1 commit into from
Oct 26, 2017
+5 −2

Conversation

junorouse
Copy link
Contributor

@junorouse junorouse commented Oct 18, 2017
edited
Loading

CVE-2017-15612

See the commit log.

@junorouse
Fix bypassing XSS vulnerability.
d6f0b64 
Bypasing with newline.

Old:
>>> markdown('''[aa](java
... script:alert`1`;)''')
'<p><a href="java\nscript:alert`1`;">aa</a></p>\n'

New:
>>> markdown('''[aa](java
... script:alert`1`;)''')
'<p><a href="">aa</a></p>\n'

Bypassing with malicious mail address.

Old:
>>> markdown('<junorouse@gmail.com"\nonclick="alert(1);>')
'<p><a href="mailto:junorouse@gmail.com"\nonclick="alert(1);">junorouse@gmail.com"\nonclick="alert(1);</a></p>\n'

New:
>>> markdown('<junorouse@gmail.com"\nonclick="alert(1);>')
'<p><a href="mailto:junorouse@gmail.com&quot;\nonclick=&quot;alert(1);">junorouse@gmail.com&quot;\nonclick=&quot;alert(1);</a></p>\n'
@junorouse
Copy link
Contributor Author

@lepture

There is a problem in the CI.

C:/Python27
git clone -q https://github.com/lepture/mistune.git C:\projects\mistune
git fetch -q origin +refs/pull/140/merge:
git checkout -qf FETCH_HEAD
Running Install scripts
(new-object net.webclient).DownloadFile('https://bootstrap.pypa.io/get-pip.py', 'C:/get-pip.py')
Exception calling "DownloadFile" with "2" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."
At line:1 char:1
+ (new-object net.webclient).DownloadFile('https://bootstrap.pypa.io/ge ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException
 
Command executed with exception: Exception calling "DownloadFile" with "2" argument(s): "The request was aborted: Could not create SSL/TLS secure channel."

????????????????

@junorouse junorouse closed this Oct 18, 2017
@junorouse junorouse changed the title Fix bypassing XSS vulnerability. Xx Oct 18, 2017
@SnarkBoojum
Copy link

You might change back the title to what it was, as the problem is public : CVE-2017-15612

@lepture lepture reopened this Oct 26, 2017
@lepture lepture merged commit ab8f7de into lepture:master Oct 26, 2017
@SnarkBoojum
Copy link

Will you release a new version of mistune soon with that fix or should I add the patch to the Debian packaging of the current version?

Thanks.

@lepture
Copy link
Owner

lepture commented Oct 26, 2017

@SnarkBoojum It's already released.

https://github.com/lepture/mistune/blob/master/CHANGES.rst

@SnarkBoojum
Copy link

Oh, sorry, I didn't see : thanks!

@junorouse junorouse changed the title Xx XSS CVE-2017-15612 Oct 27, 2017
@junorouse
Copy link
Contributor Author

@SnarkBoojum Ok, I changed. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@junorouse @SnarkBoojum @lepture