Expand detection of protocol-relative hrefs to cover "/\evil.com" and variants
ClosedPublic
Actions

Authored by epriestley on Jan 18 2018, 8:05 PM.

Details

Reviewers

Commits

rPHU53f01ac1ae78: (stable) Promote 2018 Week 3
rPHUd2a970c6eb58: (stable) Expand detection of protocol-relative hrefs to cover "/\evil.com" and…
rPHU2d8cdda8cc4c: Expand detection of protocol-relative hrefs to cover "/\evil.com" and variants

Summary

Via HackerOne. See https://hackerone.com/reports/306414.

All browsers seem to accept <a href="/\evil.com" ...> as equivalent to //evil.com, i.e. a protocol-relative URI (uses "http" or "https" depending on the protocol for the current page).

They're equally accepting of <a href="/\/\\\\///\/\evil.com" ...> and so on, too.

I assume this is because normal users don't know the difference between slash and backslash, and someone in the 1990's thought this was a reaonable usability affordance and we're stuck with it forever?

Note that we've encountered this problem previously in PhabricatorEnv->isValidLocalURIForLink(), although the scope and context are a little different there. In that case, we simply reject URIs with backslashes anywhere.

The security risk associated with this -- "tabnabbing" -- is fairly low, and amounts to a targeted phishing attack, so I don't plan to take any exceptional security measures here.

Test Plan

Pre-change: wrote a [[ /\evil.com | xyz ]] link in Remarkup, saw it fail to get "noreferrer". Saw Chrome, Firefox and Safari all dutifully follow the link to evil.com.
Made change; added test coverage.
Tests pass.
Post-change: Verified /\evil.com link (and other similar links, e.g., ///evil.com, /\\evil.com) now get "noreferrer".

Diff Detail

Repository

rPHU libphutil

Branch

noreferrer

Lint

Lint Passed

Unit

Tests Passed

Build Status

Buildable 19047
Build 25701: Run Core Tests
Build 25700: arc lint + arc unit

Event Timeline

epriestley created this revision.Jan 18 2018, 8:05 PM

Harbormaster completed remote builds in B19047: Diff 45264.Jan 18 2018, 8:05 PM

epriestley requested review of this revision.Jan 18 2018, 8:05 PM

epriestley edited the summary of this revision. (Show Details)Jan 18 2018, 8:06 PM

I think is probably clearer as-is instead of getting fancy with a regex.

This revision is now accepted and ready to land.Jan 18 2018, 8:09 PM

A vaguely related issue here is how we handle this in remarkup:

[[ http:/\evil.com/ | xyz ]]

We currently treat it as a wiki page, normalize it, and link to /w/evil.com/. This way this works is a little weird, but safe. If we treated it as a URI instead, browsers would accept it, since it seems that all browsers agree that this is a "perfectly valid" URI that has "absolutely nothing wrong with it".

I'm inclined to leave this behavior as-is for now. If we changed it in the future, I'd be inclined to explicitly reject these URIs as malformed.

Closed by commit rPHU2d8cdda8cc4c: Expand detection of protocol-relative hrefs to cover "/\evil.com" and variants (authored by epriestley). · Explain WhyJan 18 2018, 8:17 PM

This revision was automatically updated to reflect the committed changes.

epriestley edited the summary of this revision. (Show Details)Jan 18 2018, 8:26 PM

epriestley mentioned this in D18883: Allow bulk edits to be made silently if you have CLI access.Jan 19 2018, 8:21 PM

epriestley mentioned this in T13053: Plans: Mail Tags and Failover.Feb 2 2018, 4:25 PM