rustdoc search xss exploit #13884
Comments
|
Is this problematic? Afaik everything is done client-side. |
|
Yes. For example, if rustdoc documentation is served on a site that uses a cookie for authentication, an attacker could perform XHRs on the victim's behalf by injecting a |
|
But the search is done with client-side javascript on a client-side resources index; how can you secure that? |
|
I'm not sure what you mean by the search being unsecurable because the index is searched on the client. The problem is that the Javascript responsible for rendering the search query does not properly escape it, so an attacker can insert arbitrary HTML and therefore execute arbitrary Javascript in another user's browser merely by tricking the user into following a link. This is easily fixed by escaping If you're not convinced of the danger, see this link (warning: displays an alert dialog) for an example. If I were more nefarious, and I knew of a site that served rustdoc HTML documentation on the same domain as another site that uses cookie authentication, I could impersonate a user of this site just by convincing them to follow a link I've sent them. |
|
I see thanks for the explanations, opened up a PR for it. |
I think this is the part that makes me go from "meh" to "OH!." There's not a lot of damage on rust-lang.org, but we shouldn't open up others to these issues. |
See #13884 for the details. Closes #13884. r? @alexcrichton
…Veykril fix: unescape inline module names in module resolution Fixes rust-lang#13884
The input for doc searches isn't sanitized, allowing for arbitrary HTML input.
http://static.rust-lang.org/doc/master/std/index.html?search=%3Cxmp%3E
The text was updated successfully, but these errors were encountered: