1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| | From 285e9647c6d2f90d8cb7af543b14c986a8efa631 Mon Sep 17 00:00:00 2001
From: Asherah Connor <ashe@kivikakk.ee>
Date: Fri, 12 Feb 2021 21:15:29 +1100
Subject: [PATCH] SECURITY: match unsafe prefixes case-insensitively
Many thanks to Kouhei Morita for reporting this.
Co-authored-by: Kouhei Morita <mrtc0@ssrf.in>
---
src/lexer.pest | 2 +-
src/tests.rs | 146 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 147 insertions(+), 1 deletion(-)
diff --git a/src/lexer.pest b/src/lexer.pest
index e97647c..7f6cd3f 100644
--- a/src/lexer.pest
+++ b/src/lexer.pest
@@ -55,4 +55,4 @@ table_start = { "|"? ~ table_marker ~ ("|" ~ table_marker)* ~ "|"? ~ table_space
table_cell_end = { "|" ~ table_spacechar* ~ table_newline? }
table_row_end = { table_spacechar* ~ table_newline }
-dangerous_url = { "data:" ~ !("png" | "gif" | "jpeg" | "webp") | "javascript:" | "vbscript:" | "file:" }
+dangerous_url = { ^"data:" ~ !(^"image/" ~ (^"png" | ^"gif" | ^"jpeg" | ^"webp")) | ^"javascript:" | ^"vbscript:" | ^"file:" }
diff --git a/src/tests.rs b/src/tests.rs
index c61a493..5f3e0cc 100644
--- a/src/tests.rs
+++ b/src/tests.rs
@@ -998,3 +998,11 @@ fn description_lists() {
),
);
}
+
+#[test]
+fn case_insensitive_safety() {
+ html(
+ "[a](javascript:a) [b](Javascript:b) [c](jaVascript:c) [d](data:xyz) [e](Data:xyz) [f](vbscripT:f) [g](FILE:g)\n",
+ "<p><a href=\"\">a</a> <a href=\"\">b</a> <a href=\"\">c</a> <a href=\"\">d</a> <a href=\"\">e</a> <a href=\"\">f</a> <a href=\"\">g</a></p>\n",
+ );
+}
--
2.30.1
|