From 64856d858e2afcc028d368d58c442757ac28ee51 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulipchat.com>
Date: Mon, 23 Mar 2020 19:48:32 -0700
Subject: [PATCH] CVE-2020-10935: Fix XSS vulnerability in local link
 rewriting.

Make sure rewrite_local_links_to_relative does not accidentally change
the meaning of links.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
---
 zerver/lib/bugdown/__init__.py                |  6 +++++-
 .../tests/fixtures/markdown_test_cases.json   | 21 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/zerver/lib/bugdown/__init__.py b/zerver/lib/bugdown/__init__.py
index ce07dcb5c2..c81915b743 100644
--- a/zerver/lib/bugdown/__init__.py
+++ b/zerver/lib/bugdown/__init__.py
@@ -207,7 +207,11 @@ def rewrite_local_links_to_relative(db_data: Optional[DbData], link: str) -> str
 
     if db_data:
         realm_uri_prefix = db_data['realm_uri'] + "/"
-        if link.startswith(realm_uri_prefix):
+        if (
+            link.startswith(realm_uri_prefix)
+            and urllib.parse.urljoin(realm_uri_prefix, link[len(realm_uri_prefix):])
+            == link
+        ):
             return link[len(realm_uri_prefix):]
 
     return link
diff --git a/zerver/tests/fixtures/markdown_test_cases.json b/zerver/tests/fixtures/markdown_test_cases.json
index 6e99a04756..468654c50c 100644
--- a/zerver/tests/fixtures/markdown_test_cases.json
+++ b/zerver/tests/fixtures/markdown_test_cases.json
@@ -407,6 +407,17 @@
       "input": "[  ](https://github.com)",
       "expected_output": "<p><a href=\"https://github.com\" target=\"_blank\" title=\"https://github.com\">https://github.com</a></p>"
     },
+    {
+      "name": "fragment_link",
+      "input": "[foo](http://zulip.testserver/#narrow/stream/1-Denmark)",
+      "expected_output": "<p><a href=\"#narrow/stream/1-Denmark\" title=\"#narrow/stream/1-Denmark\">foo</a></p>",
+      "marked_expected_output": "<p><a href=\"http://zulip.testserver/#narrow/stream/1-Denmark\" target=\"_blank\" title=\"http://zulip.testserver/#narrow/stream/1-Denmark\">foo</a></p>"
+    },
+    {
+      "name": "not_fragment_link",
+      "input": "[foo](http://zulip.testserver/https://example.com)",
+      "expected_output": "<p><a href=\"http://zulip.testserver/https://example.com\" target=\"_blank\" title=\"http://zulip.testserver/https://example.com\">foo</a></p>"
+    },
     {
       "name": "nl2br",
       "input": "test\nbar",
@@ -1037,6 +1048,16 @@
       "<p>[foo](javascript:&lt;i&gt;\"foo&amp;bar\"&lt;/i&gt;)</p>",
       ""
     ],
+    [
+      "http://zulip.testserver/#narrow/stream/1-Denmark",
+      "<p><a href=\"#narrow/stream/1-Denmark\" title=\"#narrow/stream/1-Denmark\">http://zulip.testserver/#narrow/stream/1-Denmark</a></p>",
+      ""
+    ],
+    [
+      "http://zulip.testserver/https://example.com",
+      "<p>%s</p>",
+      "http://zulip.testserver/https://example.com"
+    ],
     [
       "a@b.com",
       "<p>%s</p>",