从CGI参数中获取样式表URL的安全隐患 [英] Security implications of taking a stylesheet URL from a CGIparameter
问题描述
您好,
我们有一个用Perl编写的基于Web的应用程序,旨在将
作为一个框架集成到许多不同的Web中站点。我们目前有几个样式表可供用户使用,以便用户将外观和
感觉与现有网站相匹配。我们正在考虑允许我们的用户
来托管他们自己的样式表,并将其URL作为CGI
参数传递。这样的事情:
... / cgi-bin / script?stylesheet = http://example.com/style.css
在HTML页面模板中使用相应的代码:
< link href =" $ STYLESHEET"的rel ="样式表"类型= QUOT;文本/ CSS" />
当然,我们无法控制传递到
stylesheet参数的内容,因此我们必须为可能性做好准备< b / b
恶意的人把它设置成令人讨厌的东西。
我们将逃避$ stylesheet所以它只能包含字母,数字,
下划线,短划线,斜杠,冒号和圆点(以避免跨站点
脚本),确保它以http://开头。或https://并包含
主机后没有端口规范(以避免欺骗客户端
打开本地文件或连接到任意服务),并且
要求文件名以.css结尾(使
更难以导致脚本运行)。这样的事情:
/^https?:\/\/[\w.-]+\/[\\\ /:。 \。css $ /
我对级联的全部功能只有粗略的了解
样式表。我是否应该考虑其他任何安全问题?b $ b想到什么?特别是,有没有办法将
客户端执行的代码(如JavaScript)嵌入到样式表中,实现
一些其他类型的跨站点脚本攻击,或者其他方式除了改变页面的显示之外还要做什么?
我可能没有考虑过任何其他风险吗?
感谢您的任何想法和建议!
---- Scott。
Hello,
We''ve got a Web-based application written in Perl that is designed to
integrate as a frame into many different Web sites. We currently have
several stylesheets available to allow the user to match the look and
feel to their existing Web site. We''re considering allowing our users
to host their own stylesheet, and just pass in its URL as a CGI
parameter. Something like this:
.../cgi-bin/script?stylesheet=http://example.com/style.css
with corresponding code like this in the HTML page template:
<link href="$STYLESHEET" rel="stylesheet" type="text/css" />
Of course, we have no control over what gets passed in to the
stylesheet parameter, so we have to be prepared for the possibility
that a malicious person sets it to something nasty.
We will escape $stylesheet so it can only contain letters, numbers,
underscore, dash, slashes, colons, and dots (to avoid cross-site
scripting), ensure it starts with "http://" or "https://" and contains
no port specification after the host (to avoid tricking the client
into opening local files or connecting to arbitrary services), and
require the filename to end with ".css" (to make it more difficult to
cause a script to run). Something like this:
/^https?:\/\/[\w.-]+\/[\w\/:.-]+\.css$/
I only have a rough knowledge of the full power of cascading
stylesheets. Are there any other security concerns I should be
thinking about? In particular, is there any way to embed
client-executed code (like JavaScript) into a stylesheet, implement
some other kind of cross-site scripting attack, or otherwise cause the
stylesheet to do anything besides alter the display of the page?
Any other risks I may not have considered?
Thanks for any thoughts and advice!
----Scott.
推荐答案
样式表"的rel ="样式表"类型= QUOT;文本/ CSS" />
当然,我们无法控制传递到
stylesheet参数的内容,因此我们必须为可能性做好准备< b / b
恶意的人把它设置成令人讨厌的东西。
我们将转义
STYLESHEET" rel="stylesheet" type="text/css" />
Of course, we have no control over what gets passed in to the
stylesheet parameter, so we have to be prepared for the possibility
that a malicious person sets it to something nasty.
We will escape
样式表以便它只能包含字母,数字,
下划线,短划线,斜线,冒号和圆点(以避免跨站点
脚本),确保它以http://开头。或https://并包含
主机后没有端口规范(以避免欺骗客户端
打开本地文件或连接到任意服务),并且
要求文件名以.css结尾(使
更难以导致脚本运行)。这样的事情:
/^https?:\/\/[\w.-]+\/[\\\ /:。 \.css
stylesheet so it can only contain letters, numbers,
underscore, dash, slashes, colons, and dots (to avoid cross-site
scripting), ensure it starts with "http://" or "https://" and contains
no port specification after the host (to avoid tricking the client
into opening local files or connecting to arbitrary services), and
require the filename to end with ".css" (to make it more difficult to
cause a script to run). Something like this:
/^https?:\/\/[\w.-]+\/[\w\/:.-]+\.css
/
我对级联的全部功能只有粗略的了解
样式表。我是否应该考虑其他任何安全问题?b $ b想到什么?特别是,有没有办法将
客户端执行的代码(如JavaScript)嵌入到样式表中,实现
一些其他类型的跨站点脚本攻击,或者其他方式除了改变页面的显示之外还要做什么?
我可能没有考虑过任何其他风险吗?
感谢您的任何想法和建议!
---- Scott。
/
I only have a rough knowledge of the full power of cascading
stylesheets. Are there any other security concerns I should be
thinking about? In particular, is there any way to embed
client-executed code (like JavaScript) into a stylesheet, implement
some other kind of cross-site scripting attack, or otherwise cause the
stylesheet to do anything besides alter the display of the page?
Any other risks I may not have considered?
Thanks for any thoughts and advice!
----Scott.
这篇关于从CGI参数中获取样式表URL的安全隐患的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
