Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add parameters parsing for cssfixme #847

Closed
karlcow opened this issue Dec 10, 2015 · 15 comments
Closed

Add parameters parsing for cssfixme #847

karlcow opened this issue Dec 10, 2015 · 15 comments
Assignees

Comments

@karlcow
Copy link
Member

karlcow commented Dec 10, 2015

/cssfixme.php?url=http%3A%2F%2Fhallvord.com%2Ftemp%2Fmoz%2FcompatTesterTesting%2Fstyle.css

should be able to inject the CSS stylesheets inside the textarea.

Be careful with security issues.

Depends on #12

@magsout
Copy link
Member

magsout commented Dec 10, 2015

it is possible to explain this issue? ❤️

@miketaylr
Copy link
Member

@magsout we're moving http://hallvord.com/temp/moz/cssfixme.php to webcompat.com/tools/cssfixme (it's a tool to add standards/unprefixed CSS to -webkit-prefix only code).

One of the features is that you can give it a URL via a get param, and it will automatically fetch that and put it in the tool for you -- that's what this bug is for.

@hallvors hallvors self-assigned this Dec 10, 2015
@hallvors
Copy link
Contributor

hallvors pushed a commit that referenced this issue Dec 17, 2015
miketaylr pushed a commit that referenced this issue Dec 17, 2015
Handle ?url query string for css-fixme, #847
@karlcow
Copy link
Member Author

karlcow commented Dec 18, 2015

Let's not deploy this for now. There are some security/usability issues with the code. I found new ones.

@karlcow
Copy link
Member Author

karlcow commented Dec 18, 2015

@miketaylr
Copy link
Member

Let's not deploy this for now. There are some security/usability issues with the code. I found new ones.

It's too late, we already deployed. I'm going to disable it on master now. @karlcow, please file new issues.

@miketaylr
Copy link
Member

Actually, no need for new issues @karlcow. This is the right place.

@miketaylr
Copy link
Member

OK, fix deployed. I'm not even sure this feature is worth the trouble, given its ability to take down our server if we don't do it correctly:

2015/12/18 01:13:54 [error] 4971#0: *REDACTED upstream timed out (110: Connection timed out) while reading response header from upstream, client: REDACTED, server: webcompat.com, request: "GET /tools/cssfixme?url=http://127.0.0.1 HTTP/1.1", upstream: REDACTED, host: "webcompat.com"

@karlcow
Copy link
Member Author

karlcow commented Dec 18, 2015

Thanks! @miketaylr

@miketaylr
Copy link
Member

I'm inclined to close this as WONTFIX, given that it's some nice sugar on top of the core functionality that is working. We have a lot of other features to worry about, that (in theory) don't have the same potential for dangerous security implications.

I'm not even sure we should host https://github.com/webcompat/css-fixme/blob/master/cssfixme.php in our org's repo. It's just not safe code as-is. :(

@karlcow
Copy link
Member Author

karlcow commented Dec 18, 2015

Agreed with @miketaylr

I propose in the meantime, we close that feature.
If one day, we have a rock solid implementation/idea for it, we can still reopen. Too many unknowns for now. This includes.

  • verify the URI exist
  • verify it sends back a 200
  • verify text/css content-type
  • verify it's not a private ip and/or local server address
  • verify it's a CSS
  • and probably a couple of others.

@miketaylr
Copy link
Member

Filed webcompat/css-fixme#16 which is related.

@miketaylr
Copy link
Member

OK, let's close for now.

@hallvors
Copy link
Contributor

:(
It is a useful thing to be able to send links to webmasters that show their code already fixed. Oh well.. Too many issues. I'll consider other ways to do something..

@miketaylr
Copy link
Member

@hallvors we can re-open (and re-add the feature) in the future, as long as we get security right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants