W3C home > Mailing lists > Public > public-css-archive@w3.org > July 2018

Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Mon, 02 Jul 2018 02:42:40 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-401656627-1530499359-sysbot+gh@w3.org>
The attack scenario is:

1. Find a browser that stores some website-based information (like localStorage or something) in a file-based database (like sqlite).
2. Evil site, upon being visited, stores a hostile string into that database, which contains something like `};};}; body { --foo:`.
3. Evil site then loads that database as a local stylesheet with `<link rel=stylesheet href="file:...">`.
4. Evil site queries `getComputedStyle(document.body).getPropertyValue("--foo")`, and captures all of the contents of the file between where the string got stored and the next byte that gets interpreted as a `;` character. This is potentially a large chunk of the file, grabbing information from other sites.

Replacing NULL with U+FFFD doesn't solve this problem; that character is allowed in custom properties.  Thus my minimal proposal of making a NULL automatically invalid in *all* contexts, so the custom property would be thrown out at parse time assuming that a NULL gets captured in the value (which is likely in the attack scenario mentioned; you'll probably find NULL bytes in a SQLite file).  The maximal proposal, of invaliding the entire stylesheet if there's a NULL anywhere, would make it even safer, while having a fairly minimal chance of impact on *actual* stylesheets.

-- 
GitHub Notification of comment by tabatkins
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2757#issuecomment-401656627 using your GitHub account
Received on Monday, 2 July 2018 02:42:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 July 2018 02:42:42 UTC