Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-13451

XSS bug in wiki markup link rendering

XMLWordPrintable

      The following wikimarkup creates links with an onclick event.

      [test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]
[test link|mailto:whatever@broken.com" onclick="alert('hi. I am a fun onclick event')]

      This is due to the following code in ConfluenceLinkResolver at line 319 (ish)

      // in private boolean isUrlLink(String textWithoutTitle)

        if (textWithoutTitle.startsWith("mailto:") || textWithoutTitle.startsWith("file:"))
        {
            return true;
        }
        else
        {
            // URLs don't strictly allow single quote characters, but we want to allow one
            String encodedText = textWithoutTitle.replaceAll("'","");
            boolean isUrl = UrlUtils.verifyHierachicalURI(encodedText);
            return isUrl;
        }

      I haven't checked how far back this actually goes, but I suspect it's a long way.

        1. atlassian-renderer-3.18.1.jar
          203 kB
        2. atlassian-renderer-3.19.1.jar
          208 kB

            [CONFSERVER-13451] XSS bug in wiki markup link rendering

            Brian Nguyen (Inactive) added a comment -

            Reviewed in RNDR-43

            Brian Nguyen (Inactive) added a comment - Reviewed in RNDR-43

            Brian Nguyen (Inactive) added a comment -

            Attached are the patches for confluence 2.7-2.9.

            Use:

            • 3.18.1 for confluence 2.7.x
            • 3.19.1 for confluence 2.8.x and 2.9.x

            To apply the patch:

            1. Download the corresponding jar file
            2. Copy the jar to /confluence/WEB-INF/lib/
            3. Remove the older version of the jar file
            4. Restart confluence

            Brian Nguyen (Inactive) added a comment - Attached are the patches for confluence 2.7-2.9. Use: 3.18.1 for confluence 2.7.x 3.19.1 for confluence 2.8.x and 2.9.x To apply the patch: Download the corresponding jar file Copy the jar to /confluence/WEB-INF/lib/ Remove the older version of the jar file Restart confluence

            David Taylor (Inactive) added a comment -

            Security patches need to be written for version 2.7, 2.8 and 2.9.

            David Taylor (Inactive) added a comment - Security patches need to be written for version 2.7, 2.8 and 2.9.

            Agnes Ro added a comment -

            Implemented in Renderer 4.1. Need to update Confluence to depend on it once released.

            Agnes Ro added a comment - Implemented in Renderer 4.1. Need to update Confluence to depend on it once released.

            David Taylor (Inactive) added a comment -

            See https://svn.atlassian.com/atlaseye/changelog/confluence?cs=23495 for the change

            David Taylor (Inactive) added a comment - See https://svn.atlassian.com/atlaseye/changelog/confluence?cs=23495 for the change

              dtaylor David Taylor (Inactive)
              don.willis@atlassian.com Don Willis
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: