Warning if still using passQueryParameters:true

Hi,

Warning: if you are still using passQueryParameters:true in the html file, it is highly recommended to either change it to passQueryParameters:false or to update to the latest krpano versions!

This feature was originally be added in the Flashplayer times (as a replacement for SWFaddress) to allow 'deep linking' (e.g. generating URLs that link to specific scenes and views), but it didn't restrict or filter the values that were passed and therefore could also be abused for Cross-site-scripting (XSS).

The passQueryParameters setting was always disabled by default in the viewer itself, but in the default build templates was it enabled.

To avoid potential cross-site-scripting, in krpano 1.20.10 (build 2021-09-26) the default templates and the vtourskin.xml were updated to support using a custom and safe list of parameters. This way any cross-site-scripting was blocked and deep-linking still be possible.

From there on, with the changed default templates, the new built tours were secure, but support for passQueryParameters:true was still kept for compatibility with older projects (and for Panotour Pro), since to keep deep-linking support also the xml files would had to be updated (how depends how the deep-linking was used in detail).

Unfortunately there are still many old panos and tours out there (sometimes also newer ones) where passQueryParameters:true is still enabled. Therefore please check in your tours the html file for this setting and change it to false. The only possible downside would be loosing the deep-linking support, which normally shouldn't be critical.

And to avoid this problem at all in future, there are new krpano releases:
krpano 1.22.4 (build 2025-02-28) and
krpano 1.20.12 (build 2025-02-28) for compatibility and older-license cases.

In these both versions the support for passQueryParameters:true have been removed and the use of the allowed parameters be secured.

That means please either check and change the setting or update to the latest versions!

Sorry for this inconvenience and best regards,
Klaus

Hi,

only passQueryParameters:true would need to be changed!

The startscene and startlookat are fully safe parameters that will be used by the vtourskin.xml for the deeplinking.
That means you can keep your code as it was.

Mainly only very old tours and tours created with Panotour were using passQueryParameters:true. And these should be updated or that setting be changed.

Note - when updating to 1.22.4 it wouldn't matter what setting is set, then it will be automatically safe and secure.

Best regards,
Klaus

Quote from pur

In the /viewer folder and subfolders I keep all krpano and my code, plugins, skin, i18n (global), obj360.
This allows me to upgrade krpano and code on one place.

That's already a good structure! This way adjustments only need to be made once.

Quote from pur

n the /pano/... subfolder of one pano has simple index.html with <meta> tag, xml and pano image files.
<meta http-equiv="refresh" content="0; url=/viewer/krpano.html?xml=/pano/Art-Galeria/VAVROVA_2024/tour.xml" />

Now the krpano 1.22.4 (build 2025-02-28) does not work for me, neither the passQueryParameters settings because of documentation:
URLs for the xml parameter (if allowed) are limited to be within the current folder structure. What about subfolders?

There is actually a simple solution, just take the xml parameter from the query manually and pass it to the embedpano call, e.g.

embedpano({xml:(new URLSearchParams(document.location.search)).get("xml"), ...});

This way the responsibility that someone would uses urls with a xml parameter pointing anywhere else is on you. But as long as the sameorigin setting is still enabled (to avoid loading files from other servers) and no user is able to upload xml files on your server, this should be safe (except for Data-URLs, see below).

For more security do additionally checking, e.g. like here to filter out Data-URLs:

var xml = (new URLSearchParams(document.location.search)).get("xml");

// here check for the value of xml, e.g. filter out Data-URLs:
if (String(xml).toLowerCase().indexOf("data:") >= 0) xml = null;

embedpano({xml:xml, ...});

Note - the "xml" parameter need to be removed from the passQueryParameters string for this to work.

Quote from indexofrefraction

but this still needs the clients to access the krpano site via an untrusted other site containing the manipulated link/url

Right, and it seems this was done to manipulate the Google search results - placing such links somewhere (would be interesting where?) that Google finds them... It's also a Google failure, not every link anywhere must be a 'appropriate' one...

Quote from pur

Now, when the 1.22.4 is working with me, I can go for my obj360 issue:

Please use a separate thread for that.

Quote from TP24

I am still using Panotour to build my tours as everything has worked great (with some minor xml tweaks after build). I've been using 1.20.11 to accommodate some plugins that weren't guaranteed to work past that version.

Note there is also a new 1.20.12 version - that's basically the same as 1.20.11, but with support for passQueryParameter=true removed and additional checks for the other parameters (if they are allowed).

Quote from TP24

That being said, many of my tours were hijacked by this attack. Looking at the index.html file, I see the fatal "passQueryParameters:true" line. If I simply change that to "false", I should be in the clear?

Yes, just setting to false makes it already fully safe.

Quote from TP24

But that brings me to another issue. I use a LOT of deeplinking since my tours are pretty large. Is there any other way to link directly to a pano?

Yes, there are many ways, instead of allowing all kind of parameter to pass, always only a few safe ones. Safe means these parameters will be not executable.

E.g. just: passQueryParameters="startscene" could be enough, but it general depends how the deeplinking parameter evaluation is implemented in the tour.

I don't know how deeplinking is typically used in Panotour, but when looking at this Panotour plugin here:
Panotour - Notions - Deep Linking - Autopano

then using:
passQueryParameters="startscene,s,h,v,skipintro,norotation,tour_soundson,tour_displaythumbnails,tour_language,vr,starttime"

might be an option to keep all fully working.

Or maybe better to be more secure use only:
passQueryParameters="startscene,s,h,v"

as I don't known how the other parameters were evaluated there.

If someone has a Panotour built tour with deep-linking, please post it, then it's deep-linking code could be analyzed and maybe slightly be modified to made more secure.

Best regards,
Klaus

Hi,

Thanks for the example - that looks quite good.

This is the deep-linking evaluation code from that example, it takes the startscene,s,h,v,f variables from passQueryParameter and then only uses them as parameters for loadscene and lookat calls:

<action name="startup">

    if (s !== null, if (startscene === null OR startscene === "undefined", set(startscene, get(s));); );
    if (startscene === null OR startscene === "undefined",
      set(startscene, pano48340);
    );
    if(startlanguage !== null AND startlanguage !== "undefined",
      set(tour_language, get(startlanguage));
    );
    if(starttime !== null AND starttime !== "undefined" AND starttime GT 0,
      set(videoscenestarttime, get(starttime));
    ,
      set(videoscenestarttime, 0);
    );
    mainloadsceneStartup(get(startscene));
    if (h !== null,
      if (v !== null,
        if (f !== null,
          lookat(get(h), get(v), get(f));
         ,
          lookat(get(h), get(v));
        );
      ,
        if (f !== null,
          lookat(get(h), get(view.vlookat), get(f));
         ,
          lookat(get(h), get(view.vlookat));
        );
      );
    ,
      if (v !== null,
        if (f !== null,
          lookat(get(view.hlookat), get(v), get(f));
         ,
          lookat(get(view.hlookat), get(v));
        );
      ,
        if (f !== null,
          lookat(get(view.hlookat), get(view.vlookat), get(f));
        );
      );
    );
  </action>

That means with this passQueryParameters setting it would be safe and deep-linking would also work:

passQueryParameters="startscene,s,h,f"

But - there is a small but - during checking now I just found that there would be still a theoretical way to inject unwanted code (only with passQueryParameter enabled), especially in version 1.20.12, version 1.22.4 is already more secure here. I will update both versions now (should be ready today), then this will be also fixed and no possibilities be left.

That means either use passQueryParamters=false (safe in all versions) or version 1.20.12 or 1.22.4 with a safe list of parameters for passQueryParamters.

Best regards,
Klaus

Hi,

using the String "false" was always wrong, but will be also evaluated/interpreted as false.

Using passQueryParameters:0 is the same as passQueryParameters:false but for readability I would recommend using false.

Best regards,
Klaus