Feature Proposal: Deprecate and restrict VarHTTP and VarHTTPS macros due to security concerns

Motivation

Our friends over at http://twiki.org/cgi-bin/view/Codev/RestrictVarHTTP have identified a security problem in that we ship a couple of macros which happily expose httpOnly cookies in the HTML body.

If a Foswiki installation is vulnerable to arbitrary script injection, or an attacker finds some way to plant malicious JS into a wiki somewhere, they could craft a JS program which harvests the SID values of visitors.

Description and Documentation

It is the opinion of PaulHarvey that hardly anybody has used these macros and it's likely that if we purged them from the default Foswiki distribution, hardly anybody would miss them.

But we should respect legacy.

This proposal could go a few different ways:
  • Delete HTTP and HTTPS macros. Move them into a plugin.for those that need them.
  • Implement the change being pursued by the TWiki community at http://twiki.org/cgi-bin/view/Codev/RestrictVarHTTP, which adds a new config variable $TWiki::cfg{HTTP}{HiddenFields} = [qw(cookie)]; to blacklist certain headers being exposed
  • This proposal: Implement a slightly different change, deprecate the macros for removal in a future release, add a new config variable $Foswiki::cfg{HTTP}{AllowedFields} = ['Accept-Language']; which whitelists headers which may be exposed by these macros.

Examples

Impact

%WHATDOESITAFFECT%
edit

Implementation

-- Contributors: PaulHarvey - 12 Nov 2012

Discussion

The documentation suggests you can use %HTTPS% to detect an https request, but my testing on my own mixed http/https site seems to show the two macros HTTP vs HTTPS behave exactly the same, so I don't understand how to use them for this purpose. In any case, you could use an IfStatement matching on VarSCRIPTURL instead, among other methods.

-- PaulHarvey - 12 Nov 2012

The obvious - and much more controlled - way to deliver environment variables is with %ENV. HTTP/HTTPS should be deprecated in 1.2.0.

-- CrawfordCurrie - 21 Jun 2014

Changing to AcceptedProposal, and making myself the Author now that PaulHarvey is not around much any more.

-- GeorgeClark - 09 Sep 2015

Changing the proposal just a bit. Make it similar to AccessibleENV in naming, but still keep it a list rather than a regex.
  • $Foswiki::cfg{AccessibleHeaders} = ['Accept-Language', 'User-Agent'];

-- GeorgeClark - 12 Nov 2015
 
Topic revision: r8 - 16 Nov 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy