Bug #102447
closedPrevent information disclosure from Only Office by copy-paste of text with "docData;DOCY" blobs in RTE / ckeditor
0%
Description
This seems to be already fixed in ckeditor: https://github.com/ckeditor/ckeditor5/issues/14947
We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.
However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.
Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.
This is a problem because:
- sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).
- it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)
- it clutters up the visible history (sys_history view in BE)
I have seen this in our site which uses latest TYPO3 v11.
Updated by Georg Ringer 5 months ago
- Status changed from New to Needs Feedback
hey,
i just tested that in v13 and after paste and also after save only the content is there. I can't reproduce this inside typo3 , only on the demo site.
Updated by Sybille Peters 5 months ago
- Tracker changed from Feature to Bug
- Status changed from Needs Feedback to New
- Tags changed from docData, RTE, ckeditor, onlyoffice, information leak to docData, RTE, ckeditor, onlyoffice, information disclosure, data protection
- TYPO3 Version set to 11
Retesting this now.
Summary : could reproduce with v11, not with v12 and v13.
I used the following snippet which existed in our site: (this snippet is harmless and does not disclose information, but I could find or construct others which might).
<p class="docData;DOCY;v5;1046;BQiAAgAAEYQCAAAGiAIAAAM1AwAABUMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqQAAAACkAAAAARgAAAABBgAAAAAJBgAAAAAaBgAAAAAbBgAAAAACggAAAAVfAAAAAQAAAAAIVQAAAABQAAAASABlAHUAdABlACAAdwBpAGUAIABkAGEAbQBhAGwAcwA6ACAAbQBlAGgAcgAgAEQAZQBtAG8AawByAGEAdABpAGUAIAB3AGEAZwBlAG4AIQAFCgAAAAEAAAAACAAAAAAFCgAAAAEAAAAACAAAAAAKAAAAAAAAAAARAAAAAM8AAAAAEgAAAAEGAAAAAAkGAAAAABsGAAAAAAGuAAAABAYeAAAAVABpAG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4ABQYeAAAAVABpAG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4ABwYeAAAAVABpAG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4AKgEHEwEBCAQYAAAAFgQYAAAAGQYKAAAAZABlAC0ARABFABoGCgAAAGEAcgAtAFMAQQAbBgoAAABlAG4ALQBVAFMAAgAAAAA=">
Text!</p>
This contains a base64 string with length of 1418. Decoded this is something like this (I did not bother to attempt to figure out which character encoding, so some characters here are bogus:
original string:
���5C©¤�_UPHeute wie damals: mehr Demokratie wagen!�®Times New RomanTimes New RomanTimes New Roman*de-DEar-SAen-US
Reproduce:
1. In an RTE field (in "Text & Media" bodytext), I switched to source code
2. I pasted the snippet
3. I saved the content element
4. I checked if the docData still existed
- in v11: this snippet still exists after saving or swiching modes
- in v12: is stripped: good!
- in v13: is stripped: good!
After being stripped, it looks like this:
<p> Text! </p>
The text is already stripped away if switching back to "normal" mode and then back to "source code" view.
I assume it is strongly ckeditor related.
CC @Georg Ringer Georg Ringer
Updated by Georg Ringer 5 months ago
- Status changed from New to Closed
as it is fine with 12+13 and we won't start fiddling around with ckeditor4 again, I am closing this issue. thanks for your feedback!