Mattermost-server: KaTeX corrupts Webapp for incorrect syntax

Created on 4 Mar 2018  路  11Comments  路  Source: mattermost/mattermost-server

Details have been omitted by the project administrator due to the nature of this issue, and transferred to an internal JIRA ticket.

https://mattermost.atlassian.net/browse/MM-9718

A fix has been released in Mattermost v4.7.3.

picture enuit

Most helpful comment

Hi, I'm investigating it. Looks like a problem with Katex. We are using throwOnError: false option, so It shouldn't raise a ParseError.

An example to make it fail is:

var katex = require('katex');
katex.renderToString('a_{x', {throwOnError: false, displayMode: true})

I going to read a bit of Katex code to try to find the problem.

picture jespino on 5 Mar 2018
👍4

All 11 comments

Details have been omitted by the project administrator due to the nature of this issue, and transferred to an internal JIRA ticket.

https://mattermost.atlassian.net/browse/MM-9718

A fix has been released in Mattermost v4.7.3.

octomike picture octomike on 5 Mar 2018

Details have been omitted by the project administrator due to the nature of this issue, and transferred to an internal JIRA ticket.

https://mattermost.atlassian.net/browse/MM-9718

A fix has been released in Mattermost v4.7.3.

enuit picture enuit on 5 Mar 2018

Hi, I'm investigating it. Looks like a problem with Katex. We are using throwOnError: false option, so It shouldn't raise a ParseError.

An example to make it fail is:

var katex = require('katex');
katex.renderToString('a_{x', {throwOnError: false, displayMode: true})

I going to read a bit of Katex code to try to find the problem.

jespino picture jespino on 5 Mar 2018
👍4

After investigating a bit, looks like throwOnError is a confusing name, because only handle certain cases. Looks like we have to handle that kind of parse errors.

jespino picture jespino on 5 Mar 2018
👍1

Thanks @jespino !

lindy65 picture lindy65 on 6 Mar 2018

Any recommendations for a quick fix?

octomike picture octomike on 7 Mar 2018

@octomike The workaround would be, go to any channel (without latex text on it), go to your user settings > Advanced > Enable post formating, and disable it. Go to the channel with the bad formated latex, fix it (or delete the entire message). Then, back to your account settings, and re-enable the post formating.

jespino picture jespino on 7 Mar 2018
👍2

As the PR to fix this has been merged, I'll close off this issue here for now.

lindy65 picture lindy65 on 8 Mar 2018

Hello @enuit,

Thank you for reporting this issue!

We have included a fix for this issue you discovered in our 4.7.3 release, and would like to recognize you in our security research hall of fame and our upcoming security update email, which acknowledge those who help discover security issues.

We would also love to send you a Mattermost mug as a thank you. If you're interested, you can sign up to our public Mattermost instance at http://pre-release.mattermost.com/, and I can direct message you for contact details. Just let me know your username here if you've signed up.

amyblais picture amyblais on 9 Mar 2018

Hey,
that would both be great.
My username in the chat is also enuit :)

enuit picture enuit on 10 Mar 2018

Thanks @enuit,

I've direct messaged you on http://pre-release.mattermost.com/ 馃憤

lindy65 picture lindy65 on 12 Mar 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

demedos picture demedos  路  37Comments
freswa picture freswa  路  34Comments
jasonblais picture jasonblais  路  53Comments
esethna picture esethna  路  32Comments
esethna picture esethna  路  59Comments