Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18819

It's possible to save pretty much anything anywhere by creating and using an SSX/JSX containing "../" in its reference

    XMLWordPrintable

Details

    • Unknown
    • N/A
    • N/A

    Description

      AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document reference when serializing it on filesystem, so it's easy to mess up the HTML or PDF export process with reference elements containing filesystem syntax like "../", "./". or "/" in general (the last two not causing any security threat, but can cause conflicts with others serialized files).

      To reproduce:

      • create a page containing 
        {{velocity}}
$xwiki.ssx.use('\.\..\.\.')
{{/velocity}}
      • export the page as HTML (you don't need to download the resulting zip package)

      -> you should find a file named something like ssx5447337823533494579.css at the root of the temporary work directory. While you don't have much control over the name of the file (which limit the impact) you can put it anywhere XWiki has access to, and it can contain anything you want.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-4616 HTML export does not support skin extensions

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link GHSA-7ph6-5cmq-xgjq

          Activity

            People

              tmortagne Thomas Mortagne
              tmortagne Thomas Mortagne
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: