[wp-trac] [WordPress Trac] #14648: Flash Uploader security error in IDN domains

WordPress Trac wp-trac at lists.automattic.com
Fri Mar 25 11:02:12 UTC 2011 

#14648: Flash Uploader security error in IDN domains
--------------------------------------+------------------------------
 Reporter:  dovydas                   |       Owner:
     Type:  defect (bug)              |      Status:  new
 Priority:  normal                    |   Milestone:  Awaiting Review
Component:  Media                     |     Version:  2.8.3
 Severity:  normal                    |  Resolution:
 Keywords:  needs-patch dev-feedback  |
--------------------------------------+------------------------------
Changes (by codestyling):

 * cc: codestyling (added)
 * keywords:   => needs-patch dev-feedback


Comment:

 IDN handling is different related to Browsers! WebKit based browser like
 Safari and Chrome work with PunyCode URL's but others like IE, Firefox and
 Opera doesn't.
 This is a problem of Cross Site Scripting detection and can be realize and
 tested, if the Blog is configured to an PunyCode Url. [[BR]]

 example out of a case I did investigate: [[BR]]
 IDN: http://с-проект.рф [[BR]]
 PunyCode: http://xn----jtbpoegeo.xn--p1ai [[BR]]

 If you  try to call a JSON request like this example with the generated
 admin_url() out of WordPress, which would become the PunyCode one:

 {{{
         new Ajax.Request('http://xn----jtbpoegeo.xn--p1ai/wp-admin/admin-
 ajax.php' ?>',
                 {
                         parameters: {
                                 action: 'get_download_section'
                         },
                         onSuccess: function(transport) {
                                 elem.title=transport.responseJSON.title;
                         },
                         onFailure: function(transport) {
                                 alert('JSON security bug')
                         }
                 }
         );
 }}}

 and the answer is correct 'application/json' with correct JSON content,
 than this fails on all browsers except WebKit based! [[BR]]
 If you try it with the original IDN Url like:

 {{{
         new Ajax.Request('http://с-проект.рф/wp-admin/admin-ajax.php' ?>',
 }}}
 it works now for all other browsers but fails now on WebKit based.

 My suggestion will be a conditional convertion back to IDN, if browser is
 '''not''' WebKit based.
 I did this inside my WordPress plugin "Codestyling Localization" and it
 works now in any case. I did use the class '''idna_convert''' from
 Matthias Sommerfeld for easy decode of PunyCode admin url's in such a
 case.

 Please check it also in relation to #11734 / #10690 / #14648 because this
 may also affect the flash uploader feeded with PunyCode url's instead of
 IDN for some browser!

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14648#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list