From eb9508502c97c1341b8120916e34b260824cc52d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= Date: Sun, 12 Mar 2023 22:15:43 -0700 Subject: [PATCH] Avoid XSS when opening a broken image due to unescaped ServerError in proxy handler Creating an RSS feed item with the inline description containing an `` tag with a `srcset` attribute pointing to an invalid URL like `http:a`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced to open the broken image. --- http/response/html/html.go | 2 ++ ui/proxy.go | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/http/response/html/html.go b/http/response/html/html.go index c7bf1faf..3bba07f3 100644 --- a/http/response/html/html.go +++ b/http/response/html/html.go @@ -26,6 +26,7 @@ func ServerError(w http.ResponseWriter, r *http.Request, err error) { builder := response.New(w, r) builder.WithStatus(http.StatusInternalServerError) + builder.WithHeader("Content-Security-Policy", `default-src 'self'`) builder.WithHeader("Content-Type", "text/html; charset=utf-8") builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store") builder.WithBody(err) @@ -38,6 +39,7 @@ func BadRequest(w http.ResponseWriter, r *http.Request, err error) { builder := response.New(w, r) builder.WithStatus(http.StatusBadRequest) + builder.WithHeader("Content-Security-Policy", `default-src 'self'`) builder.WithHeader("Content-Type", "text/html; charset=utf-8") builder.WithHeader("Cache-Control", "no-cache, max-age=0, must-revalidate, no-store") builder.WithBody(err) diff --git a/ui/proxy.go b/ui/proxy.go index 5dd50697..bffbc939 100644 --- a/ui/proxy.go +++ b/ui/proxy.go @@ -83,7 +83,8 @@ func (h *handler) mediaProxy(w http.ResponseWriter, r *http.Request) { resp, err := clt.Do(req) if err != nil { - html.ServerError(w, r, err) + logger.Error(`[Proxy] Unable to initialize HTTP client: %v`, err) + http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } defer resp.Body.Close()