Lift security vulnerability

20 views
Skip to first unread message

David Pollak

unread,
Feb 2, 2010, 7:57:13 PM2/2/10
to liftweb
Folks,

Turns out there's a security vulnerability in Lift.  It's possible to insert control characters into input fields.  When the control characters are sent back to the browser, the browser will choke.  An example can be seen at http://demo.liftweb.net  Go to that page, enter your name in the chat input box and then reload the page.  In Firefox, the page will not be rendered at all.  In Chrome, rendering will stop at the point that the control character is encountered.  This can cause a denial of service attack on any page that contains user input.

I will work on a fix for this vulnerability (filter control characters other than \n and \r from Text fields when the page is being sent back to the browser.)

I'd like to get a sense of how important the community views this defect.  Is it a "backport the fix to every milestone and release yesterday" or is it a "fix it in 2.0-M2" or someplace in between.

Thanks,

David

--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Surf the harmonics

Naftoli Gugenheim

unread,
Feb 2, 2010, 8:28:04 PM2/2/10
to liftweb
Is that not a defect of the browsers?

> --
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To post to this group, send email to lif...@googlegroups.com.
> To unsubscribe from this group, send email to
> liftweb+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/liftweb?hl=en.
>

Naftoli Gugenheim

unread,
Feb 2, 2010, 8:31:18 PM2/2/10
to liftweb
If you scan the whole page wouldn't it affect performance? Or will you
put a safeguard in the input field / processing query parameters?

2010/2/2 Naftoli Gugenheim <nafto...@gmail.com>:

David Pollak

unread,
Feb 2, 2010, 8:43:45 PM2/2/10
to lif...@googlegroups.com
The xml spec only allows tab, cr, and lf... no other control chars.

The defect is in the scala.xml.Utility.escape method

This method is an amazing piece of crap... every character in the string is wrapped in a Character object and then wrapped in a Cons cell. 

The fix will improve performance radically.

Connected by MOTOBLUR™ on T-Mobile

-----Original message-----
From: Naftoli Gugenheim <nafto...@gmail.com>
To:
liftweb <lif...@googlegroups.com>
Sent:
Wed, Feb 3, 2010 01:31:24 GMT+00:00
Subject:
Re: [Lift] Lift security vulnerability

If you scan the whole page wouldn't it affect performance? Or will you
put a safeguard in the input field / processing query parameters?

2010/2/2 Naftoli Gugenheim :

> Is that not a defect of the browsers?
>

Naftoli Gugenheim

unread,
Feb 2, 2010, 8:46:26 PM2/2/10
to liftweb
Exciting! :)

David Pollak

unread,
Feb 3, 2010, 12:38:15 AM2/3/10
to lif...@googlegroups.com
On Tue, Feb 2, 2010 at 5:43 PM, David Pollak <feeder.of...@gmail.com> wrote:
The xml spec only allows tab, cr, and lf... no other control chars.

The defect is in the scala.xml.Utility.escape method

This method is an amazing piece of crap... every character in the string is wrapped in a Character object and then wrapped in a Cons cell. 

Okay... I was wrong about this... the RichString.elements method returns an Iterator.  My patch gives a 3x performance improvement over Scala 2.7.7 and a 4x improvement over 2.8.

The patch is submitted: http://lampsvn.epfl.ch/trac/scala/ticket/3014

I will also put a patch to Lift on review board in a few minutes.
 

aw

unread,
Feb 3, 2010, 1:42:16 AM2/3/10
to Lift

On Feb 2, 4:57 pm, David Pollak <feeder.of.the.be...@gmail.com> wrote:
> I'd like to get a sense of how important the community views this defect.
> Is it a "backport the fix to every milestone and release yesterday" or is it
> a "fix it in 2.0-M2" or someplace in between.

I vote for 2.0-M2.

Jeppe Nejsum Madsen

unread,
Feb 3, 2010, 4:49:04 AM2/3/10
to lif...@googlegroups.com
David Pollak <feeder.of...@gmail.com> writes:

> I'd like to get a sense of how important the community views this defect.
> Is it a "backport the fix to every milestone and release yesterday" or is it
> a "fix it in 2.0-M2" or someplace in between.

For me, it's fix it in 2.0-SNAPSHOT

/Jeppe

Timothy Perrett

unread,
Feb 3, 2010, 5:04:37 AM2/3/10
to lif...@googlegroups.com
+1

Fix it in head, no need to back-port; M2 is only around the corner.

Cheers, Tim

Indrajit Raychaudhuri

unread,
Feb 3, 2010, 9:20:43 AM2/3/10
to lif...@googlegroups.com
1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2.

2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x
'unsupported' yet. Forcing apps to move to 2.0-M2 just for this
vulnerability fix isn't fun.

Cheers, Indrajit

Feng Zhang

unread,
Feb 3, 2010, 10:39:17 AM2/3/10
to lif...@googlegroups.com
I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior?

Thank you,

Feng

David Pollak

unread,
Feb 3, 2010, 12:08:48 PM2/3/10
to lif...@googlegroups.com
Thanks for pointing that out.  There are other problems as well... I'll fix them (in both the Scala and Lift diffs)

Dano

unread,
Feb 17, 2010, 2:06:59 PM2/17/10
to Lift
Hello,

I was wondering if the fix for the control characters issue was
included in 2.0-M2. I just did a test with our Lift application built
with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions
- NS_ERROR_INVALID_POINTER).

Thanks in advance.


Dan

On Feb 3, 9:08 am, David Pollak <feeder.of.the.be...@gmail.com> wrote:
> Thanks for pointing that out.  There are other problems as well... I'll fix
> them (in both the Scala and Lift diffs)
>
>
>
>
>
> On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang <sharpzh...@gmail.com> wrote:
> > I found that in the fix, \n is changed to \t, while \t to \n. Is this
> > desired behavior?
>
> > Thank you,
>
> > Feng
>

> > On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri <indraj...@gmail.com


> > > wrote:
>
> >> 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2.
>
> >> 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x
> >> 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this
> >> vulnerability fix isn't fun.
>
> >> Cheers, Indrajit
>
> >> On 03/02/10 3:34 PM, Timothy Perrett wrote:
>
> >>> +1
>
> >>> Fix it in head, no need to back-port; M2 is only around the corner.
>
> >>> Cheers, Tim
>
> >>> On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote:
>

> >>>  David Pollak<feeder.of.the.be...@gmail.com>  writes:


>
> >>>>  I'd like to get a sense of how important the community views this
> >>>>> defect.
> >>>>> Is it a "backport the fix to every milestone and release yesterday" or
> >>>>> is it
> >>>>> a "fix it in 2.0-M2" or someplace in between.
>
> >>>> For me, it's fix it in 2.0-SNAPSHOT
>
> >>>> /Jeppe
>
> >>>> --
> >>>> You received this message because you are subscribed to the Google
> >>>> Groups "Lift" group.
> >>>> To post to this group, send email to lif...@googlegroups.com.
> >>>> To unsubscribe from this group, send email to

> >>>> liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >


> >>>> .
> >>>> For more options, visit this group at
> >>>>http://groups.google.com/group/liftweb?hl=en.
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Lift" group.
> >> To post to this group, send email to lif...@googlegroups.com.
> >> To unsubscribe from this group, send email to

> >> liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >


> >> .
> >> For more options, visit this group at
> >>http://groups.google.com/group/liftweb?hl=en.
>
> >  --
> > You received this message because you are subscribed to the Google Groups
> > "Lift" group.
> > To post to this group, send email to lif...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >


> > .
> > For more options, visit this group at
> >http://groups.google.com/group/liftweb?hl=en.
>
> --
> Lift, the simply functional web frameworkhttp://liftweb.net

> Beginning Scalahttp://www.apress.com/book/view/1430219890

Dano

unread,
Feb 22, 2010, 4:34:44 PM2/22/10
to Lift
More information on this in case anyone is interested. If you go to
the lift demo website, it appears the issue with characters is mostly
addressed except for the "Misc code" section. Specifically, the
"Wizard", "Wizard Challenge" and "Arc Challenge #1" examples will
generate XML parsing errors.

For these problems, I am not sure if the issue if the example or the
framework. If the issue is with the example, it would be good to know
what Lift apps need to do to avoid getting bitten by binary characters
entered into form fields.

Thanks in advance.


Dan

Dano

unread,
Feb 24, 2010, 2:49:52 PM2/24/10
to Lift
The recent scala days conference activity may have cause the updates
to this thread to escape notice. Just wondering if there is concern
about the remaining binary character problems I noted in my prior
post.

Thanks in advance.


Dan

Dano

unread,
Mar 4, 2010, 7:33:22 PM3/4/10
to Lift
Just saw that Lift 2.0-M3 was released. I looked to see if the
vulnerability was still present in demo.liftweb.net and I am still
able to generate exceptions in the browser when I paste binary
characters in the textfields for the Wizard, Wizard Challenge, and Arc
Challenge examples in the Misc section.

Don't know if this remaining problem is supposed to be handled by the
application or framework, but thought I would make a post to alert the
group.


Dan

On Feb 24, 11:49 am, Dano <olearydani...@gmail.com> wrote:
> The recent scala days conference activity may have cause the updates
> to this thread to escape notice.  Just wondering if there is concern
> about the remaining binary character problems I noted in my prior
> post.
>
> Thanks in advance.
>
> Dan
>
> On Feb 22, 1:34 pm, Dano <olearydani...@gmail.com> wrote:
>
> > More information on this in case anyone is interested.  If you go to

> > theliftdemo website, it appears the issue with characters is mostly


> > addressed except for the "Misc code" section.   Specifically, the
> > "Wizard", "Wizard Challenge" and "Arc Challenge #1" examples will
> > generate XML parsing errors.
>
> > For these problems, I am not sure if the issue if the example or the
> > framework.  If the issue is with the example, it would be good to know

> > whatLiftapps need to do to avoid getting bitten by binary characters


> > entered into form fields.
>
> > Thanks in advance.
>
> > Dan
>
> > On Feb 17, 11:06 am, Dano <olearydani...@gmail.com> wrote:
>
> > > Hello,
>
> > > I was wondering if the fix for the control characters issue was

> > > included in 2.0-M2.  I just did a test with ourLiftapplication built

David Pollak

unread,
Mar 4, 2010, 8:01:28 PM3/4/10
to lif...@googlegroups.com
On Thu, Mar 4, 2010 at 4:33 PM, Dano <oleary...@gmail.com> wrote:
Just saw that Lift 2.0-M3 was released.  I looked to see if the
vulnerability was still present in demo.liftweb.net

And the astute and not-so-astute observer will note at the bottom of each page on demo.liftweb.net:
Lift version 1.1-SNAPSHOT built on Tue Nov 24 13:58:20 PST 2009.
       
If you have a reproducible case (running against Lift 2.0-M3 or 2.0-SNAPSHOT) of the security vulnerability, you are welcome to submit it as a ticket.
 
To unsubscribe from this group, send email to liftweb+u...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.




--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890

Naftoli Gugenheim

unread,
Mar 4, 2010, 7:49:43 PM3/4/10
to lif...@googlegroups.com
What version is the demo running?

-------------------------------------
Dano<oleary...@gmail.com> wrote:

Just saw that Lift 2.0-M3 was released. I looked to see if the

vulnerability was still present in demo.liftweb.net and I am still

Ross Mellgren

unread,
Mar 4, 2010, 10:33:57 PM3/4/10
to lif...@googlegroups.com
Check dpp's response as of 8:01

-Ross

Dano

unread,
Mar 5, 2010, 12:32:32 PM3/5/10
to Lift
I would never claim to be astute. However, I did observe that
demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the
bottom of the page. I also observed that the Wizard example is still
broken (paste binary characters into 'First Name' and then click the
Next button). I have not yet registered for an account with Assembla
but would be happy to file the bug.


Dan

On Mar 4, 7:33 pm, Ross Mellgren <dri...@gmail.com> wrote:
> Check dpp's response as of 8:01
>
> -Ross
>
> On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote:
>
>
>
> > What version is the demo running?
>
> > -------------------------------------

> > For more options, visit this group athttp://groups.google.com/group/liftweb?hl=en.

Naftoli Gugenheim

unread,
Mar 5, 2010, 12:47:32 PM3/5/10
to lif...@googlegroups.com
Can you reproduce the vulnerability in your own M3 app?

-------------------------------------

Dano

unread,
Mar 5, 2010, 12:53:46 PM3/5/10
to Lift
I can reproduce it in our application, but I think it is not
necessarily due to Lift. This is what I am trying to sort out. We
have client-side javascript which is sending JSON commands to the
server and things blow up once things come back from the server. In
this case, Lift is not responsible for the rendering so I would say
this is an application issue.

I am poking at the demo lift application to try to flush out issues
common to the group and understand what is a framework issue and what
needs to be addressed by the application.

Thanks.


Dan

On Mar 5, 9:47 am, Naftoli Gugenheim <naftoli...@gmail.com> wrote:
> Can you reproduce the vulnerability in your own M3 app?
>
> -------------------------------------
>

Dano

unread,
Mar 5, 2010, 1:26:41 PM3/5/10
to Lift
I think I would like to amend my last post by asking if it is possible
that the lift-json library support the ability to strip out binary
characters since many times an application uses the results of JSON
operations to render back to the client.

Thanks.


Dan

David Pollak

unread,
Mar 5, 2010, 1:41:47 PM3/5/10
to lif...@googlegroups.com
On Fri, Mar 5, 2010 at 9:32 AM, Dano <oleary...@gmail.com> wrote:
I would never claim to be astute.  However, I did observe that
demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the
bottom of the page.  I also observed that the Wizard example is still
broken (paste binary characters into 'First Name' and then click the
Next button).  I have not yet registered for an account with Assembla
but would be happy to file the bug.

I don't know what you mean by "pasting binary characters" into a field, but I have updated the Arc Challenge code to:
class ArcChallenge extends StatefulSnippet {
  var dispatch: DispatchIt = {case _ => xhtml => ask}

  def control: String = (for (i <- 0 until 65000) yield i.toChar).mkString

  /**
   * Step 1: Type in a Phrase.
   */
  def ask = {
    <p>
    Say Anything:
    {text("", p => phrase = control + p + control)}
    {submit("Submit", () => dispatch = {case _ => xhtml => think})}
    </p>
  }

  /**
   * Step 2: Show a link that takes you to the Phrase you entered.
   */
  def think = submit("Click here to see what you said",
             () => dispatch = {case _ => xhtml => answer})

  /**
   * Step 3: Show the phrase.
   */
  def answer = <p>You said: {phrase}</p>

  private var phrase = ""
}
}
}

This code inserts characters 0 - 65,000 into the string to be sent back to the browser, including every control character.

Once again, if you have a reproducible case (the exact steps that someone must follow) to cause Lift to emit illegal XHTML, please open a defect on Assembla
 



--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890

David Pollak

unread,
Mar 5, 2010, 1:49:03 PM3/5/10
to lif...@googlegroups.com
On Fri, Mar 5, 2010 at 10:26 AM, Dano <oleary...@gmail.com> wrote:
I think I would like to amend my last post by asking if it is possible
that the lift-json library support the ability to strip out binary
characters since many times an application uses the results of JSON
operations to render back to the client.

Control characters are legal in JSON so it's not the place of the library to strip out control characters.

If you're sending JSON strings that are supposed to be valid XHTML, then it's up to your app to make sure the Strings are valid.  If you are using Scala's XML literals and "toString", you are hitting a bug in the XML libraries that render incorrect Strings.  I have fixed the bug in the 2.8 branch, but there's no practical way to go back and make the fix part of 2.7.x.

If you use Lift's AltXML library to convert the XML to String.  Lift's library also has the patch to ensure that XML -> String is valid per this W3C page: http://www.w3.org/International/questions/qa-controls
 



--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890

Timothy Perrett

unread,
Mar 5, 2010, 2:26:04 PM3/5/10
to lif...@googlegroups.com
Agreed - it works fine even with double byte characters...

Cheers, Tim

Dano

unread,
Mar 5, 2010, 3:06:30 PM3/5/10
to Lift
I should have been more clear on 'pasting binary characters'. At the
url http://www.webmasterworld.com/forum39/1098.htm, they talk about an
issue with binary characters. I copied the 'square character' text
(which I have confirmed are binary) from that page into the Wizard
example on the demo lift site.

As to JSON, our client side code is sending JSON containing what the
user entered in the form. Based on the above, it sounds like we
should strip the binary characters when processing the JSON commands.

Thanks.


Dan


On Mar 5, 10:49 am, David Pollak <feeder.of.the.be...@gmail.com>
wrote:

> > <liftweb%2Bunsu...@googlegroups.com<liftweb%252Bunsubscribe@googlegroup s.com>>


> > > > > >>>>>>>>> .
> > > > > >>>>>>>>> For more options, visit this group at
> > > > > >>>>>>>>>http://groups.google.com/group/liftweb?hl=en.
>
> > > > > >>>>>>> --
> > > > > >>>>>>> You received this message because you are subscribed to the
> > Google Groups
> > > > > >>>>>>> "Lift" group.
> > > > > >>>>>>> To post to this group, send email to
> > lif...@googlegroups.com.
> > > > > >>>>>>> To unsubscribe from this group, send email to
> > > > > >>>>>>> liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >

> > <liftweb%2Bunsu...@googlegroups.com<liftweb%252Bunsubscribe@googlegroup s.com>>


> > > > > >>>>>>> .
> > > > > >>>>>>> For more options, visit this group at
> > > > > >>>>>>>http://groups.google.com/group/liftweb?hl=en.
>
> > > > > >>>>>>  --
> > > > > >>>>>> You received this message because you are subscribed to the
> > Google Groups
> > > > > >>>>>> "Lift" group.
> > > > > >>>>>> To post to this group, send email to lif...@googlegroups.com
> > .
> > > > > >>>>>> To unsubscribe from this group, send email to
> > > > > >>>>>> liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >

> > <liftweb%2Bunsu...@googlegroups.com<liftweb%252Bunsubscribe@googlegroup s.com>>


> > > > > >>>>>> .
> > > > > >>>>>> For more options, visit this group at
> > > > > >>>>>>http://groups.google.com/group/liftweb?hl=en.
>
> > > > > >>>>> --
> > > > > >>>>> Lift, the simply functional web frameworkhttp://liftweb.net
> > > > > >>>>> Beginning Scalahttp://www.apress.com/book/view/1430219890
> > > > > >>>>> Follow me:http://twitter.com/dpp
> > > > > >>>>> Surf the harmonics
>
> > > > > > --
> > > > > > You received this message because you are subscribed to the Google
> > Groups "Lift" group.
> > > > > > To post to this group, send email to lif...@googlegroups.com.
> > > > > > To unsubscribe from this group, send email to

> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > .
> > > > > > For more options, visit this group athttp://
> > groups.google.com/group/liftweb?hl=en.
>
> > > > > > --
> > > > > > You received this message because you are subscribed to the Google
> > Groups "Lift" group.
> > > > > > To post to this group, send email to lif...@googlegroups.com.
> > > > > > To unsubscribe from this group, send email to
> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > .
> > > > > > For more options, visit this group athttp://
> > groups.google.com/group/liftweb?hl=en.
>
> > > > --
> > > > You received this message because you are subscribed to the Google
> > Groups "Lift" group.
> > > > To post to this group, send email to lif...@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > .
> > > > For more options, visit this group athttp://
> > groups.google.com/group/liftweb?hl=en.
>
> > --

> > You received this message because you are subscribed to
>

> ...
>
> read more »

David Pollak

unread,
Mar 5, 2010, 3:21:47 PM3/5/10
to lif...@googlegroups.com
On Fri, Mar 5, 2010 at 12:06 PM, Dano <oleary...@gmail.com> wrote:
I should have been more clear on 'pasting binary characters'.  At the
url http://www.webmasterworld.com/forum39/1098.htm, they talk about an
issue with binary characters.  I copied the 'square character' text
(which I have confirmed are binary) from that page into the Wizard
example on the demo lift site.

Dan,

And I did the same thing and it caused no problems.  I also modified the example code to print out the characters and they were in fact control characters (1 and 4).  They can through the other side (back to my browser) stripped from the XHTML.

As I said, if there is a reproducible case that you can show against Lift 2.0-M3 or 2.0-SNAPSHOT, open a ticket.  However, in the future, please do not expect that I'll spend any more of my time addressing your issues.

David
 
To unsubscribe from this group, send email to liftweb+u...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.




--
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890

Joni Freeman

unread,
Mar 7, 2010, 11:10:20 AM3/7/10
to Lift
Note, it is very easy to clean up the JSON before rendering by using
'map' function:

json map {
case JString(s) => JString(sripOutBinaryChars(s))
case x => x
}

(You just need to implement that sripOutBinaryChars function...).

Cheers Joni

On Mar 5, 8:26 pm, Dano <olearydani...@gmail.com> wrote:
> I think I would like to amend my last post by asking if it is possible

> that the lift-jsonlibrary support the ability to strip out binary


> characters since many times an application uses the results ofJSON
> operations to render back to the client.
>
> Thanks.
>
> Dan
>
> On Mar 5, 9:53 am, Dano <olearydani...@gmail.com> wrote:
>
> > I can reproduce it in our application, but I think it is not
> > necessarily due to Lift.  This is what I am trying to sort out.  We

> > have client-side javascript which is sendingJSONcommands to the

Dano

unread,
Mar 8, 2010, 1:28:30 PM3/8/10
to Lift
Thanks Joni! I appreciate the sample code.


Dan

Reply all
Reply to author
Forward
0 new messages