[Owasp-antisamy] Toward safe Flash filtering -- dealing with"param" tags

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Wed Sep 30 10:37:09 EDT 2009


For anyone who cares,

Erik is now a committer on the AntiSamy project. When his <param> patch
is integrated and tested we're going to push for a new minor release. I
think we can realistically expect a new release around mid-November.

Arshan


-----Original Message-----
From: owasp-antisamy-bounces at lists.owasp.org
[mailto:owasp-antisamy-bounces at lists.owasp.org] On Behalf Of Erik
Sent: Tuesday, September 29, 2009 9:02 PM
To: owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] Toward safe Flash filtering -- dealing
with"param" tags

Good news, everyone! I've come up with a way to make AntiSamy now
process the data in name and value attributes in <param> tags.

I had to do this because, in order to promote security while allowing
video embeds, I've simply been filtering out all <param> tags. I didn't
notice that this was breaking video embeds in Internet Explorer until
after we deployed because I, sane, don't use IE. But whatever --
removing <param> tags breaks video embeds, you can't filter them with
AS, and IE requires them. See:

http://java.sun.com/j2se/1.5.0/docs/guide/plugin/developer_guide/using_t
ags.html#html

How annoying. My solution was to modify AS such that it now treats
<param> tags somewhat like <embed> tags. After all, since the data is
redundant, the tag-rule definitions in the AS policy file should be very
close. As an added bonus, it required little modification to AS.

As an example, imagine an embed code like this:

<object width="560" height="340">
	<param name="movie"
	
value="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"></param>
	<param name="allowFullScreen" value="true"></param>
	<param name="allowscriptaccess" value="always"></param>
	<embed src="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"
		type="application/x-shockwave-flash"
allowscriptaccess="always"
		allowfullscreen="true" width="560"
height="340"></embed></object>

With a certain directive activated, AS internally converts the <param>
tags to think of them as:

<object width="560" height="340">
	<embed
movie="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"></embed>
	<embed allowFullScreen="true"></embed>
	<embed allowscriptaccess="always"></embed>
	<embed src="http://www.youtube.com/v/IyAyd4WnvhU&hl=en&fs=1&"
		type="application/x-shockwave-flash"
allowscriptaccess="always"
		allowfullscreen="true" width="560"
height="340"></embed></object>

With the following directive set in the policy file:

<directive name="validateParamAsEmbed" value="true" />

The output, of course, comes out looking correct, like the first embed
code, assuming you've allowed these tags and attributes.

In order for this directive to activate, it first checks for the
following:
--the validateParamAsEmbed directive is set to "true"
--there is no tag-rule for the <param> tag
--there is a tag-rule in place for the <embed> tag
--the <embed> tag-rule action is "validate"

It is finished and we will be deploying it at my work. I'll be
committing it to the AS SVN repo just as soon as they let me =) Enjoy!

--Erik Innocent

_______________________________________________
Owasp-antisamy mailing list
Owasp-antisamy at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-antisamy


More information about the Owasp-antisamy mailing list