2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/3a3c1a860c30/ Changeset: 3a3c1a860c30 Branch: stable User: jmchilton Date: 2014-02-21 16:54:53 Summary: Do not serve non-HTML content that may contain JavaScript in such a way that web browsers execute it. This option will prevent Galaxy from correctly rendering SVG files generated from tools or uploaded by users and so can be disabled with by setting the new option serve_xss_vulnerable_mimetypes in universe_wsgi.ini to True. Thanks to Tobias Sargeant for pointing out this problem. Affected #: 3 files diff -r f58179ab488879a1a54821e98b4c65c048fa2fd6 -r 3a3c1a860c306df8d8176b0d2d455a5ed663f597 lib/galaxy/config.py --- a/lib/galaxy/config.py +++ b/lib/galaxy/config.py @@ -207,6 +207,7 @@ self.log_actions = string_as_bool( kwargs.get( 'log_actions', 'False' ) ) self.log_events = string_as_bool( kwargs.get( 'log_events', 'False' ) ) self.sanitize_all_html = string_as_bool( kwargs.get( 'sanitize_all_html', True ) ) + self.serve_xss_vulnerable_mimetypes = string_as_bool( kwargs.get( 'serve_xss_vulnerable_mimetypes', False ) ) self.enable_old_display_applications = string_as_bool( kwargs.get( "enable_old_display_applications", "True" ) ) self.ucsc_display_sites = kwargs.get( 'ucsc_display_sites', "main,test,archaea,ucla" ).lower().split(",") self.gbrowse_display_sites = kwargs.get( 'gbrowse_display_sites', "modencode,sgd_yeast,tair,wormbase,wormbase_ws120,wormbase_ws140,wormbase_ws170,wormbase_ws180,wormbase_ws190,wormbase_ws200,wormbase_ws204,wormbase_ws210,wormbase_ws220,wormbase_ws225" ).lower().split(",") diff -r f58179ab488879a1a54821e98b4c65c048fa2fd6 -r 3a3c1a860c306df8d8176b0d2d455a5ed663f597 lib/galaxy/datatypes/data.py --- a/lib/galaxy/datatypes/data.py +++ b/lib/galaxy/datatypes/data.py @@ -21,6 +21,12 @@ eggs.require( "Paste" ) import paste +XSS_VULNERABLE_MIME_TYPES = [ + 'image/svg+xml', # Unfiltered by Galaxy and may contain JS that would be executed by some browsers. + 'application/xml', # Some browsers will evalute SVG embedded JS in such XML documents. +] +DEFAULT_MIME_TYPE = 'text/plain' # Vulnerable mime types will be replaced with this. + log = logging.getLogger(__name__) comptypes=[] # Is this being used anywhere, why was this here? -JohnC @@ -334,11 +340,12 @@ mime = trans.app.datatypes_registry.get_mimetype_by_extension( ".".split( file_path )[-1] ) except: mime = "text/plain" - trans.response.set_content_type( mime ) + self._clean_and_set_mime_type( trans, mime ) return open( file_path ) else: return trans.show_error_message( "Could not find '%s' on the extra files path %s." % ( filename, file_path ) ) - trans.response.set_content_type(data.get_mime()) + self._clean_and_set_mime_type( trans, data.get_mime() ) + trans.log_event( "Display dataset id: %s" % str( data.id ) ) from galaxy import datatypes #DBTODO REMOVE THIS AT REFACTOR if to_ext or isinstance(data.datatype, datatypes.binary.Binary): # Saving the file, or binary file @@ -624,6 +631,12 @@ dataset_source = dataproviders.dataset.DatasetDataProvider( dataset ) return dataproviders.chunk.Base64ChunkDataProvider( dataset_source, **settings ) + def _clean_and_set_mime_type(self, trans, mime): + if mime.lower() in XSS_VULNERABLE_MIME_TYPES: + if not getattr( trans.app.config, "serve_xss_vulnerable_mimetypes", True ): + mime = DEFAULT_MIME_TYPE + trans.response.set_content_type( mime ) + @dataproviders.decorators.has_dataproviders class Text( Data ): diff -r f58179ab488879a1a54821e98b4c65c048fa2fd6 -r 3a3c1a860c306df8d8176b0d2d455a5ed663f597 universe_wsgi.ini.sample --- a/universe_wsgi.ini.sample +++ b/universe_wsgi.ini.sample @@ -497,6 +497,12 @@ # unaltered output. #sanitize_all_html = True +# By default Galaxy will serve non-HTML tool output that may potentially +# contain browser executable JavaScript content as plain text. This will for +# instance cause SVG datasets to not render properly and so may be disabled +# by setting the following option to True. +#serve_xss_vulnerable_mimetypes = False + # Debug enables access to various config options useful for development and # debugging: use_lint, use_profile, use_printdebug and use_interactive. It # also causes the files used by PBS/SGE (submission script, output, and error) https://bitbucket.org/galaxy/galaxy-central/commits/9c915a92142d/ Changeset: 9c915a92142d Branch: stable User: jmchilton Date: 2014-02-26 17:30:09 Summary: Merged in jmchilton/galaxy-central-fork-1/stable (pull request #333) Disable rendering of user uploaded/tool generated SVG files. Affected #: 3 files diff -r 520c006a361987cf89f77c0e31e259a4a894ef60 -r 9c915a92142d3b796b0df82b8d097e5a5aae678f lib/galaxy/config.py --- a/lib/galaxy/config.py +++ b/lib/galaxy/config.py @@ -207,6 +207,7 @@ self.log_actions = string_as_bool( kwargs.get( 'log_actions', 'False' ) ) self.log_events = string_as_bool( kwargs.get( 'log_events', 'False' ) ) self.sanitize_all_html = string_as_bool( kwargs.get( 'sanitize_all_html', True ) ) + self.serve_xss_vulnerable_mimetypes = string_as_bool( kwargs.get( 'serve_xss_vulnerable_mimetypes', False ) ) self.enable_old_display_applications = string_as_bool( kwargs.get( "enable_old_display_applications", "True" ) ) self.ucsc_display_sites = kwargs.get( 'ucsc_display_sites', "main,test,archaea,ucla" ).lower().split(",") self.gbrowse_display_sites = kwargs.get( 'gbrowse_display_sites', "modencode,sgd_yeast,tair,wormbase,wormbase_ws120,wormbase_ws140,wormbase_ws170,wormbase_ws180,wormbase_ws190,wormbase_ws200,wormbase_ws204,wormbase_ws210,wormbase_ws220,wormbase_ws225" ).lower().split(",") diff -r 520c006a361987cf89f77c0e31e259a4a894ef60 -r 9c915a92142d3b796b0df82b8d097e5a5aae678f lib/galaxy/datatypes/data.py --- a/lib/galaxy/datatypes/data.py +++ b/lib/galaxy/datatypes/data.py @@ -21,6 +21,12 @@ eggs.require( "Paste" ) import paste +XSS_VULNERABLE_MIME_TYPES = [ + 'image/svg+xml', # Unfiltered by Galaxy and may contain JS that would be executed by some browsers. + 'application/xml', # Some browsers will evalute SVG embedded JS in such XML documents. +] +DEFAULT_MIME_TYPE = 'text/plain' # Vulnerable mime types will be replaced with this. + log = logging.getLogger(__name__) comptypes=[] # Is this being used anywhere, why was this here? -JohnC @@ -334,11 +340,12 @@ mime = trans.app.datatypes_registry.get_mimetype_by_extension( ".".split( file_path )[-1] ) except: mime = "text/plain" - trans.response.set_content_type( mime ) + self._clean_and_set_mime_type( trans, mime ) return open( file_path ) else: return trans.show_error_message( "Could not find '%s' on the extra files path %s." % ( filename, file_path ) ) - trans.response.set_content_type(data.get_mime()) + self._clean_and_set_mime_type( trans, data.get_mime() ) + trans.log_event( "Display dataset id: %s" % str( data.id ) ) from galaxy import datatypes #DBTODO REMOVE THIS AT REFACTOR if to_ext or isinstance(data.datatype, datatypes.binary.Binary): # Saving the file, or binary file @@ -624,6 +631,12 @@ dataset_source = dataproviders.dataset.DatasetDataProvider( dataset ) return dataproviders.chunk.Base64ChunkDataProvider( dataset_source, **settings ) + def _clean_and_set_mime_type(self, trans, mime): + if mime.lower() in XSS_VULNERABLE_MIME_TYPES: + if not getattr( trans.app.config, "serve_xss_vulnerable_mimetypes", True ): + mime = DEFAULT_MIME_TYPE + trans.response.set_content_type( mime ) + @dataproviders.decorators.has_dataproviders class Text( Data ): diff -r 520c006a361987cf89f77c0e31e259a4a894ef60 -r 9c915a92142d3b796b0df82b8d097e5a5aae678f universe_wsgi.ini.sample --- a/universe_wsgi.ini.sample +++ b/universe_wsgi.ini.sample @@ -497,6 +497,12 @@ # unaltered output. #sanitize_all_html = True +# By default Galaxy will serve non-HTML tool output that may potentially +# contain browser executable JavaScript content as plain text. This will for +# instance cause SVG datasets to not render properly and so may be disabled +# by setting the following option to True. +#serve_xss_vulnerable_mimetypes = False + # Debug enables access to various config options useful for development and # debugging: use_lint, use_profile, use_printdebug and use_interactive. It # also causes the files used by PBS/SGE (submission script, output, and error) Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.