Project

General

Profile

Actions

Bug #102447

closed

Prevent information disclosure from Only Office by copy-paste of text with "docData;DOCY" blobs in RTE / ckeditor

Added by Sybille Peters about 1 year ago. Updated 5 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
RTE (rtehtmlarea + ckeditor)
Target version:
-
Start date:
2023-11-22
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
docData, RTE, ckeditor, onlyoffice, information disclosure, data protection
Complexity:
Is Regression:
Sprint Focus:

Description

This seems to be already fixed in ckeditor: https://github.com/ckeditor/ckeditor5/issues/14947

We have found blobs in the class attributes of HTML elements on some pages. These blobs seem to contain metadata from the document from which the content was copied. If you take the blob and decode it with base64 and encode the result as 'utf-16' you can read some text fragments. These fragments can contain chat, comments or parts of the onlyoffice document, which would result in a leak of data.

However I am not sure which version and which versions of ckeditor and TYPO3 will have this fix.

Perhaps it is also possible to remove these when the CE is saved by default (RTE post-processing) to also remove already existing ones.

This is a problem because:

  • sensitive information might get accidentally disclosed (unfortunately often editors are not even aware what they are copy-pasting into the RTE).
  • it bloats up the DB tables which is unnecessary and might have a performance / storage usage impact (in extreme cases)
  • it clutters up the visible history (sys_history view in BE)

I have seen this in our site which uses latest TYPO3 v11.

Actions #1

Updated by Georg Ringer 5 months ago

  • Status changed from New to Needs Feedback

hey,

i just tested that in v13 and after paste and also after save only the content is there. I can't reproduce this inside typo3 , only on the demo site.

Actions #2

Updated by Sybille Peters 5 months ago

  • Tracker changed from Feature to Bug
  • Status changed from Needs Feedback to New
  • Tags changed from docData, RTE, ckeditor, onlyoffice, information leak to docData, RTE, ckeditor, onlyoffice, information disclosure, data protection
  • TYPO3 Version set to 11

Retesting this now.

Summary : could reproduce with v11, not with v12 and v13.

I used the following snippet which existed in our site: (this snippet is harmless and does not disclose information, but I could find or construct others which might).

<p class="docData;DOCY;v5;1046;BQiAAgAAEYQCAAAGiAIAAAM1AwAABUMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqQAAAACkAAAAARgAAAABBgAAAAAJBgAAAAAaBgAAAAAbBgAAAAACggAAAAVfAAAAAQAAAAAIVQAAAABQAAAASABlAHUAdABlACAAdwBpAGUAIABkAGEAbQBhAGwAcwA6ACAAbQBlAGgAcgAgAEQAZQBtAG8AawByAGEAdABpAGUAIAB3AGEAZwBlAG4AIQAFCgAAAAEAAAAACAAAAAAFCgAAAAEAAAAACAAAAAAKAAAAAAAAAAARAAAAAM8AAAAAEgAAAAEGAAAAAAkGAAAAABsGAAAAAAGuAAAABAYeAAAAVABpAG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4ABQYeAAAAVABpAG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4ABwYeAAAAVABpAG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4AKgEHEwEBCAQYAAAAFgQYAAAAGQYKAAAAZABlAC0ARABFABoGCgAAAGEAcgAtAFMAQQAbBgoAAABlAG4ALQBVAFMAAgAAAAA=">
Text!</p>

This contains a base64 string with length of 1418. Decoded this is something like this (I did not bother to attempt to figure out which character encoding, so some characters here are bogus:

original string:

���5C©¤�_UPHeute wie damals: mehr Demokratie wagen!�®Times New RomanTimes New RomanTimes New Roman*de-DEar-SAen-US

Reproduce:

1. In an RTE field (in "Text & Media" bodytext), I switched to source code
2. I pasted the snippet
3. I saved the content element
4. I checked if the docData still existed

  • in v11: this snippet still exists after saving or swiching modes
  • in v12: is stripped: good!
  • in v13: is stripped: good!

After being stripped, it looks like this:

<p>
    Text!
</p>

The text is already stripped away if switching back to "normal" mode and then back to "source code" view.

I assume it is strongly ckeditor related.

CC @Georg Ringer Georg Ringer

Actions #3

Updated by Georg Ringer 5 months ago

  • Status changed from New to Closed

as it is fine with 12+13 and we won't start fiddling around with ckeditor4 again, I am closing this issue. thanks for your feedback!

Actions

Also available in: Atom PDF