-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Comments can still be used to smuggle arbitrary CSS #1794
Comments
Is logged in 1.38.7b12 |
Can't repro that on Firefox. |
The commit gorhill/uBlock@4f92338 made the issue here go away. Also, there is no need to use words like smuggle or arbitrary when it's already allowed by design to apply
|
@gorhill The background colour was only to demonstrate the issue. It's possible to use background urls too. Which isn't possible with a cosmetic filter right? That's why I said arbitrary CSS because normally this wouldn't be allowed. |
Please provide a proof of concept. |
Sure ...
|
Thanks, I can reproduce. This commit was specifically looking for opening comment in style declarations, while in the current case the opening comment is outside a style declaration. The filter Currently when this happens, uBO tries to compile the filter as a procedural one, but end up rejecting it because implicitly global procedural filters are forbidden. So I tried So it appears by chance this commit took care of the issue here. |
Prerequisites
I tried to reproduce the issue when...
Description
This bug is related to #1693 and was marked fixed. However, it's still possible to smuggle arbitrary CSS through filter selectors. The following filter list causes a CSS injection:
The {} is used to make the CSS parser drop everything before as an invalid selector, this then allows you to define your own selector, in this case I make the background red but you could change it to use background URLs etc.
A specific URL where the issue occurs
https://portswigger-labs.net/
Steps to Reproduce
Expected behavior
The background should not appear red and arbitrary CSS should not be allowed to be injected.
Actual behavior
The filter injects CSS onto the page and the background goes red.
uBlock Origin version
1.38.4
Browser name and version
Chrome 95.0.4638.69
Operating System and version
MacOS 10.15.7
The text was updated successfully, but these errors were encountered: