GHSA-qp29-wcc2-vmpc: Silverstripe HtmlEditor embed url sanitisation

May 23, 2024

“Add from URL” doesn’t clearly sanitise URL server side

HtmlEditorField_Toolbar has an action HtmlEditorField_Toolbar#viewfile, which gets called by the CMS when adding a media “from a URL” (i.e. via oembed).

This action gets the URL to add in the GET parameter FileURL. However it doesn’t do any URL sanitising server side. The current logic will pass this through to Oembed, which will probably reject most dangerous URLs, but it’s possible future changes would break this.

References

github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2015-027-1.yaml
github.com/advisories/GHSA-qp29-wcc2-vmpc
github.com/silverstripe/silverstripe-framework
www.silverstripe.org/download/security-releases/ss-2015-027

Code Behaviors & Features

Detect and mitigate GHSA-qp29-wcc2-vmpc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →