SECURITY: Backported XSS fixes from Handlebars

2024-12-05 07:20:41 +08:00 · 2015-11-24 16:07:47 -05:00 · 2015-11-24 16:07:47 -05:00 · 189595466c
commit 189595466c
parent e9f80464b4
22 changed files with 71 additions and 30 deletions
--- a/1
+++ b/1
@ -41,7 +41,6 @@ gem 'onebox'
 gem 'ember-rails'
 gem 'ember-source', '1.12.1'
 gem 'handlebars-source', '2.0.0'
 gem 'barber'
 gem 'babel-transpiler'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -119,7 +119,6 @@ GEM
    given_core (3.5.4)
      sorcerer (>= 0.3.7)
    guess_html_encoding (0.0.11)
    handlebars-source (2.0.0)
    hashie (3.4.0)
    highline (1.7.1)
    hike (1.2.3)
@ -418,7 +417,6 @@ DEPENDENCIES
  flamegraph
  foreman
  gctools
  handlebars-source (= 2.0.0)
  highline
  hiredis
  htmlentities
--- a/app/assets/javascripts/admin/components/ace-editor.js.es6
+++ b/app/assets/javascripts/admin/components/ace-editor.js.es6
@ -16,7 +16,7 @@ export default Ember.Component.extend({
  render(buffer) {
    buffer.push("<div class='ace'>");
    if (this.get('content')) {
-      buffer.push(Handlebars.Utils.escapeExpression(this.get('content')));
+      buffer.push(Discourse.Utilities.escapeExpression(this.get('content')));
    }
    buffer.push("</div>");
  },
--- a/app/assets/javascripts/admin/controllers/modals/admin-badge-preview.js.es6
+++ b/app/assets/javascripts/admin/controllers/modals/admin-badge-preview.js.es6
@ -22,7 +22,7 @@ export default Ember.Controller.extend({
        returned = "<pre class='badge-query-plan'>";
    _.each(raw, function(linehash) {
-      returned += Handlebars.Utils.escapeExpression(linehash["QUERY PLAN"]);
+      returned += Discourse.Utilities.escapeExpression(linehash["QUERY PLAN"]);
      returned += "<br>";
    });
@ -32,7 +32,7 @@ export default Ember.Controller.extend({
  processed_sample: Ember.computed.map('model.sample', function(grant) {
    var i18nKey = 'admin.badges.preview.grant.with',
-        i18nParams = { username: Handlebars.Utils.escapeExpression(grant.username) };
+        i18nParams = { username: Discourse.Utilities.escapeExpression(grant.username) };
    if (grant.post_id) {
      i18nKey += "_post";
@ -41,7 +41,7 @@ export default Ember.Controller.extend({
    if (grant.granted_at) {
      i18nKey += "_time";
-      i18nParams.time = Handlebars.Utils.escapeExpression(moment(grant.granted_at).format(I18n.t('dates.long_with_year')));
+      i18nParams.time = Discourse.Utilities.escapeExpression(moment(grant.granted_at).format(I18n.t('dates.long_with_year')));
    }
    return I18n.t(i18nKey, i18nParams);
--- a/app/assets/javascripts/admin/models/staff_action_log.js
+++ b/app/assets/javascripts/admin/models/staff_action_log.js
@ -16,14 +16,14 @@ Discourse.StaffActionLog = Discourse.Model.extend({
      formatted += this.format('admin.logs.staff_actions.previous_value', 'previous_value');
    }
    if (!this.get('useModalForDetails')) {
-      if (this.get('details')) formatted += Handlebars.Utils.escapeExpression(this.get('details')) + '<br/>';
+      if (this.get('details')) formatted += Discourse.Utilities.escapeExpression(this.get('details')) + '<br/>';
    }
    return formatted;
  }.property('ip_address', 'email', 'topic_id', 'post_id'),
  format: function(label, propertyName) {
    if (this.get(propertyName)) {
-      return ('<b>' + I18n.t(label) + ':</b> ' + Handlebars.Utils.escapeExpression(this.get(propertyName)) + '<br/>');
+      return ('<b>' + I18n.t(label) + ':</b> ' + Discourse.Utilities.escapeExpression(this.get(propertyName)) + '<br/>');
    } else {
      return '';
    }
--- a/app/assets/javascripts/admin/views/admin-backups-logs.js.es6
+++ b/app/assets/javascripts/admin/views/admin-backups-logs.js.es6
@ -19,7 +19,7 @@ export default Ember.View.extend({
      let formattedLogs = this.get("formattedLogs");
      for (let i = this.get("index"), length = logs.length; i < length; i++) {
        const date = logs[i].get("timestamp"),
-              message = Handlebars.Utils.escapeExpression(logs[i].get("message"));
+              message = Discourse.Utilities.escapeExpression(logs[i].get("message"));
        formattedLogs += "[" + date + "] " + message + "\n";
      }
      // update the formatted logs & cache index
--- a/app/assets/javascripts/discourse/components/notification-item.js.es6
+++ b/app/assets/javascripts/discourse/components/notification-item.js.es6
@ -38,10 +38,10 @@ export default Ember.Component.extend({
  description: function() {
    const badgeName = this.get("notification.data.badge_name");
-    if (badgeName) { return Handlebars.Utils.escapeExpression(badgeName); }
+    if (badgeName) { return Discourse.Utilities.escapeExpression(badgeName); }
    const title = this.get('notification.data.topic_title');
-    return Ember.isEmpty(title) ? "" : Handlebars.Utils.escapeExpression(title);
+    return Ember.isEmpty(title) ? "" : Discourse.Utilities.escapeExpression(title);
  }.property("notification.data.{badge_name,topic_title}"),
  _markRead: function(){
--- a/app/assets/javascripts/discourse/components/post-gutter.js.es6
+++ b/app/assets/javascripts/discourse/components/post-gutter.js.es6
@ -45,7 +45,7 @@ export default Em.Component.extend(StringBuffer, {
        var title = Em.get(l, 'title');
        if (!Em.isEmpty(title)) {
-          title = Handlebars.Utils.escapeExpression(title);
+          title = Discourse.Utilities.escapeExpression(title);
          buffer.push(Discourse.Emoji.unescape(title));
        }
        if (clicks) {
--- a/app/assets/javascripts/discourse/components/poster-name.js.es6
+++ b/app/assets/javascripts/discourse/components/poster-name.js.es6
@ -40,7 +40,7 @@ const PosterNameComponent = Em.Component.extend({
      // Are we showing full names?
      if (name && this.get('displayNameOnPosts') && (this.sanitizeName(name) !== this.sanitizeName(username))) {
-        name = Handlebars.Utils.escapeExpression(name);
+        name = Discourse.Utilities.escapeExpression(name);
        buffer.push("<span class='full-name'><a href='" + url + "' data-auto-route='true' data-user-card='" + username  + "'>" + name + "</a></span>");
      }
@ -48,7 +48,7 @@ const PosterNameComponent = Em.Component.extend({
      let title = post.get('user_title');
      if (!Em.isEmpty(title)) {
-        title = Handlebars.Utils.escapeExpression(title);
+        title = Discourse.Utilities.escapeExpression(title);
        buffer.push('<span class="user-title">');
        if (Em.isEmpty(primaryGroupName)) {
          buffer.push(title);
--- a/app/assets/javascripts/discourse/components/topic-status.js.es6
+++ b/app/assets/javascripts/discourse/components/topic-status.js.es6
@ -29,7 +29,7 @@ export default Ember.Component.extend(StringBuffer, {
    const self = this;
    const renderIcon = function(name, key, actionable) {
-      const title = Handlebars.Utils.escapeExpression(I18n.t(`topic_statuses.${key}.help`)),
+      const title = Discourse.Utilities.escapeExpression(I18n.t(`topic_statuses.${key}.help`)),
            startTag = actionable ? "a href" : "span",
            endTag = actionable ? "a" : "span",
            iconArgs = key === 'unpinned' ? { 'class': 'unpinned' } : null,
--- a/app/assets/javascripts/discourse/controllers/composer.js.es6
+++ b/app/assets/javascripts/discourse/controllers/composer.js.es6
@ -265,7 +265,7 @@ export default Ember.Controller.extend({
        if (currentTopic) {
          buttons.push({
-            "label": I18n.t("composer.reply_here") + "<br/><div class='topic-title overflow-ellipsis'>" + Handlebars.Utils.escapeExpression(currentTopic.get('title')) + "</div>",
+            "label": I18n.t("composer.reply_here") + "<br/><div class='topic-title overflow-ellipsis'>" + Discourse.Utilities.escapeExpression(currentTopic.get('title')) + "</div>",
            "class": "btn btn-reply-here",
            "callback": function() {
              composer.set('topic', currentTopic);
@ -276,7 +276,7 @@ export default Ember.Controller.extend({
        }
        buttons.push({
-          "label": I18n.t("composer.reply_original") + "<br/><div class='topic-title overflow-ellipsis'>" + Handlebars.Utils.escapeExpression(this.get('model.topic.title')) + "</div>",
+          "label": I18n.t("composer.reply_original") + "<br/><div class='topic-title overflow-ellipsis'>" + Discourse.Utilities.escapeExpression(this.get('model.topic.title')) + "</div>",
          "class": "btn-primary btn-reply-on-original",
          "callback": function() {
            self.save(true);
--- a/app/assets/javascripts/discourse/controllers/forgot-password.js.es6
+++ b/app/assets/javascripts/discourse/controllers/forgot-password.js.es6
@ -17,7 +17,7 @@ export default Ember.Controller.extend(ModalFunctionality, {
      var success = function(data) {
        // don't tell people what happened, this keeps it more secure (ensure same on server)
-        var escaped = Handlebars.Utils.escapeExpression(self.get('accountEmailOrUsername'));
+        var escaped = Discourse.Utilities.escapeExpression(self.get('accountEmailOrUsername'));
        var isEmail = self.get('accountEmailOrUsername').match(/@/);
        var key = 'forgot_password.complete_' + (isEmail ? 'email' : 'username');
--- a/app/assets/javascripts/discourse/controllers/full-page-search.js.es6
+++ b/app/assets/javascripts/discourse/controllers/full-page-search.js.es6
@ -75,7 +75,7 @@ export default Ember.Controller.extend({
        }
      });
    }
-    return Handlebars.Utils.escapeExpression(q);
+    return Discourse.Utilities.escapeExpression(q);
  },
  _searchOnSortChange: true,
--- a/app/assets/javascripts/discourse/dialects/code_dialect.js
+++ b/app/assets/javascripts/discourse/dialects/code_dialect.js
@ -76,7 +76,7 @@ Discourse.Dialect.on('parseNode', function (event) {
    } else {
      regexp = /^ +| +$/g;
    }
-    node[node.length-1] = Handlebars.Utils.escapeExpression(contents.replace(regexp,''));
+    node[node.length-1] = Discourse.Utilities.escapeExpression(contents.replace(regexp,''));
  }
 });
--- a/app/assets/javascripts/discourse/dialects/dialect.js
+++ b/app/assets/javascripts/discourse/dialects/dialect.js
@ -13,7 +13,7 @@ var parser = window.BetterMarkdown,
    emitters = [],
    hoisted,
    preProcessors = [],
-    escape = Handlebars.Utils.escapeExpression;
+    escape = Discourse.Utilities.escapeExpression;
 /**
  Initialize our dialects for processing.
--- a/app/assets/javascripts/discourse/helpers/user-status.js.es6
+++ b/app/assets/javascripts/discourse/helpers/user-status.js.es6
@ -5,7 +5,7 @@ const Safe = Handlebars.SafeString;
 export default Ember.Handlebars.makeBoundHelper(function(user, args) {
  if (!user) { return; }
-  const name = Handlebars.Utils.escapeExpression(user.get('name'));
+  const name = Discourse.Utilities.escapeExpression(user.get('name'));
  const currentUser = args.hash.currentUser;
  if (currentUser && user.get('admin') && currentUser.get('staff')) {
--- a/app/assets/javascripts/discourse/lib/utilities.js
+++ b/app/assets/javascripts/discourse/lib/utilities.js
@ -1,3 +1,18 @@
 var discourseEscape = {
  "&": "&amp;",
  "<": "&lt;",
  ">": "&gt;",
  '"': "&quot;",
  "'": "&#x27;",
  '`': '&#x60;'
 };
 var discourseBadChars = /[&<>"'`]/g;
 var discoursePossible = /[&<>"'`]/;
 function discourseEscapeChar(chr) {
  return discourseEscape[chr];
 }
 Discourse.Utilities = {
  translateSize: function(size) {
@ -24,6 +39,28 @@ Discourse.Utilities = {
    }
  },
  // Handlebars no longer allows spaces in its `escapeExpression` code which makes it
  // unsuitable for many of Discourse's uses. Use `Handlebars.Utils.escapeExpression`
  // when escaping an attribute in HTML, otherwise this one will do.
  escapeExpression: function(string) {
    // don't escape SafeStrings, since they're already safe
    if (string instanceof Handlebars.SafeString) {
      return string.toString();
    } else if (string == null) {
      return "";
    } else if (!string) {
      return string + '';
    }
    // Force a string conversion as this will be done by the append regardless and
    // the regex test will do this transparently behind the scenes, causing issues if
    // an object's to string has escaped characters in it.
    string = "" + string;
    if(!discoursePossible.test(string)) { return string; }
    return string.replace(discourseBadChars, discourseEscapeChar);
  },
  avatarUrl: function(template, size) {
    if (!template) { return ""; }
    var rawSize = Discourse.Utilities.getRawSize(Discourse.Utilities.translateSize(size));
--- a/app/assets/javascripts/discourse/models/composer.js.es6
+++ b/app/assets/javascripts/discourse/models/composer.js.es6
@ -138,7 +138,7 @@ const Composer = RestModel.extend({
      const postNumber = this.get('post.post_number');
      postLink = "<a href='" + (topic.get('url')) + "/" + postNumber + "'>" +
        I18n.t("post.post_number", { number: postNumber }) + "</a>";
-      topicLink = "<a href='" + (topic.get('url')) + "'> " + (Handlebars.Utils.escapeExpression(topic.get('title'))) + "</a>";
+      topicLink = "<a href='" + (topic.get('url')) + "'> " + Discourse.Utilities.escapeExpression(topic.get('title')) + "</a>";
      usernameLink = "<a href='" + (topic.get('url')) + "/" + postNumber + "'>" + this.get('post.username') + "</a>";
    }
--- a/app/assets/javascripts/main_include.js
+++ b/app/assets/javascripts/main_include.js
@ -73,6 +73,8 @@
 //= require ./discourse/components/topic-notifications-button
 //= require ./discourse/lib/link-mentions
 //= require ./discourse/views/header
 //= require ./discourse/lib/utilities
 //= require ./discourse/dialects/dialect
 //= require ./discourse/views/composer
 //= require ./discourse/lib/show-modal
 //= require ./discourse/lib/screen-track
--- a/lib/freedom_patches/ember_compat_handlebars.rb
+++ b/lib/freedom_patches/ember_compat_handlebars.rb
@ -5,7 +5,7 @@ module Barber
  class EmberCompatPrecompiler < Barber::Precompiler
    def sources
-      [handlebars, precompiler]
+      [File.open("#{Rails.root}/vendor/assets/javascripts/handlebars.js"), precompiler]
    end
    def precompiler
--- a/lib/pretty_text.rb
+++ b/lib/pretty_text.rb
@ -78,9 +78,9 @@ module PrettyText
    ctx_load(ctx,
      "vendor/assets/javascripts/better_markdown.js",
      "app/assets/javascripts/defer/html-sanitizer-bundle.js",
      "app/assets/javascripts/discourse/lib/utilities.js",
      "app/assets/javascripts/discourse/dialects/dialect.js",
      "app/assets/javascripts/discourse/lib/censored-words.js",
      "app/assets/javascripts/discourse/lib/utilities.js",
      "app/assets/javascripts/discourse/lib/markdown.js",
    )
--- a/vendor/assets/javascripts/handlebars.js
+++ b/vendor/assets/javascripts/handlebars.js
@ -64,11 +64,16 @@ var __module3__ = (function(__dependency1__) {
    ">": "&gt;",
    '"': "&quot;",
    "'": "&#x27;",
-    "`": "&#x60;"
+    '`': '&#x60;',
    '\n' : '\\n',   // NewLine
    '\r' : '\\n',   // Return
    '\b' : '\\b',   // Backspace
    '\f' : '\\f',   // Form fee
    '\t' : '\\t',   // Tab
    '\v' : '\\v'   // Vertical Tab
  };
-
+  var badChars = /[&<>"'`\b\f\n\r\t\v]/g;
-  var badChars = /[&<>"'`]/g;
+  var possible = /[&<>"'`\b\f\n\r\t\v]/;
  var possible = /[&<>"'`]/;
  function escapeChar(chr) {
    return escape[chr];