I clever user on our development site figured out that he could put [img url=http://example.com/logout] as the tag. This causes the output of Only local images are allowed., which in turn logs the user out of the site. This is not very dangerous in and of it self, but it would allow a user to essentially cause a "get" on whatever url is specified. I realize this is more an issue with allowing Only local images are allowed. tags to be output, but is there any sort of syntax or url checking that could be done to ensure it is a valid image?

Comments

naudefj’s picture

naudefj commented
Priority: Normal » Critical

Would it help if we check that the image URL ends in JPG, PNG or GIF?

jrbeeman’s picture

jrbeeman
he/him
Primary language English
Location Arizona, USA
commented

I don't think it would... consider the following tag, for example:
[img url=http://example.com/logout?hack=.jpg]

I'm really not sure there's a good way around this aside from implementing a broader request which would be allowing admins to control which bbcode tags are permitted, like how the HTML input filter works in Drupal core. The workaround, of course, is to disallow image tags in an HTML filter that comes after the bbcode filter, but this is somewhat confusing for users.

Unfortunately, I'm not sure there's anything to be done about it... or maybe it'll just take smarter folks than me to come up with it.

naudefj’s picture

naudefj commented
Status: Active » Closed (works as designed)