allow <img onload=...>

html4 only defines the onload= attribute for a few elements.
html5 defines onload= for all elements.

in particular, <img onload=...> is useful and supported
by most browsers.

this change defines *::ONLOAD and adds it to the whitelist.

[MikeSamuel, 2009-09-10 16:59:27]

http://codereview.appspot.com/115084/diff/1/2
File src/com/google/caja/lang/html/html4-attributes-extensions-defs.json
(right):

http://codereview.appspot.com/115084/diff/1/2#newcode16
Line 16: ],
The javascript port scanner at
http://www.securiteam.com/exploits/5DP010KJFE.html uses both img.onerror and
img.onload.  Does this addition enable port scanning, or is onerror required?

[felix8a, 2009-09-10 19:51:21]

On 2009/09/10 16:59:27, MikeSamuel wrote:
> http://codereview.appspot.com/115084/diff/1/2
> File src/com/google/caja/lang/html/html4-attributes-extensions-defs.json
> (right):
> 
> http://codereview.appspot.com/115084/diff/1/2#newcode16
> Line 16: ],
> The javascript port scanner at
> http://www.securiteam.com/exploits/5DP010KJFE.html uses both img.onerror and
> img.onload.  Does this addition enable port scanning, or is onerror required?

hm.   for that port scanning technique, it's the onerror handler that's
important, because most of the urls tried will not return a valid img.  if the
onerror fires before the timeout, then it's either connection succeeded or
connection refused.  if the timeout happens, then the SYN got lost or dropped,
or the server is slow or dead.

I don't see any particular way onload helps you with portscanning.

I suspect the real issue is construction of urls with arbitrary ports, like it
might be possible to do portscanning without onerror or onload by using some
other detectable condition when the browser tries to load a url, but I haven't
thought of anything yet.  but if there is a method, then the place to fix it
would be the url policy.

[MikeSamuel, 2009-09-10 20:08:28]

I was using the term "port scanning" incorrectly.  I meant any kind of local
network probing.

The linked code does use onload:
  img.onload = img.onerror;
I think it just assumes that if an image request returns more quickly than some
standard timeout, then there is an endpoint there.

I think you're right though about custom ports.  A policy implementor can
either:
  (1) Use a proxy that responds the same way to a non-existant endpoint as to
one without servable resources.
  (2) Whitelist hosts and disallow non-standard ports.

Should we allow this, and add a note to the UrlPolicy wiki page about the above
two conditions?

[felix8a, 2009-09-10 20:19:38]

> The linked code does use onload:
>   img.onload = img.onerror;
> I think it just assumes that if an image request returns more quickly than
some
> standard timeout, then there is an endpoint there.

yeah, but the browser only fires the onload if the returned resource is a valid
img, and most probes are not going to be valid imgs.  I suppose you could use
onload to exhaustively search for valid image urls, but I haven't thought of a
way for that to be useful.

> I think you're right though about custom ports.  A policy implementor can
> either:
>   (1) Use a proxy that responds the same way to a non-existant endpoint as to
> one without servable resources.
>   (2) Whitelist hosts and disallow non-standard ports.
> 
> Should we allow this, and add a note to the UrlPolicy wiki page about the
above
> two conditions?

sounds good to me.

[MikeSamuel, 2009-09-10 20:20:57]

LGTM

[felix8a, 2009-09-10 20:56:37]

On 2009/09/10 20:20:57, MikeSamuel wrote:
> LGTM

@r3721

[felix8a, 2009-09-10 20:56:37]

On 2009/09/10 20:20:57, MikeSamuel wrote:
> LGTM

@r3721