ソースを参照

Further XSS improvements plus a bugfix.

graf25 23 年 前
コミット
8fb3548eaa
1 ファイル変更30 行追加9 行削除
  1. 30 9
      functions/mime.php

+ 30 - 9
functions/mime.php

@@ -1347,10 +1347,12 @@ function sq_getnxtag($body, $offset){
          * A comment or an SGML declaration.
          * A comment or an SGML declaration.
          */
          */
         if (substr($body, $pos+1, 2) == "--"){
         if (substr($body, $pos+1, 2) == "--"){
-            $gt = strpos($body, "-->", $pos)+2;
+            $gt = strpos($body, "-->", $pos);
             if ($gt === false){
             if ($gt === false){
                 $gt = strlen($body);
                 $gt = strlen($body);
-            }
+            } else {
+	        $gt += 2;
+	    }
             return Array(false, false, false, $lt, $gt);
             return Array(false, false, false, $lt, $gt);
         } else {
         } else {
             $gt = sq_findnxstr($body, $pos, ">");
             $gt = sq_findnxstr($body, $pos, ">");
@@ -1759,10 +1761,14 @@ function sq_fixstyle($message, $id, $content){
     }
     }
 
 
     /**
     /**
-     * Fix stupid expression: declarations which lead to vulnerabilities
+     * Fix stupid css declarations which lead to vulnerabilities
      * in IE.
      * in IE.
      */
      */
-    $content = preg_replace("/expression\s*:/si", "idiocy:", $content);
+    $match   = Array('/expression/si',
+		     '/behaviou*r/si',
+		     '/binding/si');
+    $replace = Array('idiocy', 'idiocy', 'idiocy');
+    $content = preg_replace($match, $replace, $content);
     return $content;
     return $content;
 }
 }
 
 
@@ -1871,6 +1877,11 @@ function sq_sanitize($body,
     $open_tags = Array();
     $open_tags = Array();
     $trusted = "<!-- begin sanitized html -->\n";
     $trusted = "<!-- begin sanitized html -->\n";
     $skip_content = false;
     $skip_content = false;
+    /**
+     * Take care of netscape's stupid javascript entities like
+     * &{alert('boo')};
+     */
+    $body = preg_replace("/&(\{.*?\};)/si", "&amp;\\1", $body);
 
 
     while (($curtag=sq_getnxtag($body, $curpos)) != FALSE){
     while (($curtag=sq_getnxtag($body, $curpos)) != FALSE){
         list($tagname, $attary, $tagtype, $lt, $gt) = $curtag;
         list($tagname, $attary, $tagtype, $lt, $gt) = $curtag;
@@ -2035,7 +2046,9 @@ function magicHTML($body, $id, $message){
                          "/.*/" =>
                          "/.*/" =>
                          Array(
                          Array(
                                "/target/si",
                                "/target/si",
-                               "/^on.*/si"
+                               "/^on.*/si",
+			       "/^dynsrc/si",
+			       "/^data.*/si"
                                )
                                )
                          );
                          );
 
 
@@ -2047,22 +2060,30 @@ function magicHTML($body, $id, $message){
                     Array(
                     Array(
                           Array(
                           Array(
                                 "|^([\'\"])\s*\.\./.*([\'\"])|si",
                                 "|^([\'\"])\s*\.\./.*([\'\"])|si",
-                                "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si"
+                                "/^([\'\"])\s*\S+script\s*:.*([\'\"])/si",
+				"/^([\'\"])\s*mocha\s*:*(.*)([\'\"])/si",
+				"/^([\'\"])\s*about\s*:(.*)([\'\"])/si"
                                 ),
                                 ),
                           Array(
                           Array(
                                 "\\1$secremoveimg\\2",
                                 "\\1$secremoveimg\\2",
-                                "\\1$secremoveimg\\2"
+                                "\\1$secremoveimg\\2",
+				"\\1$secremoveimg\\2",
+				"\\1$secremoveimg\\2"
                                 )
                                 )
                         ),
                         ),
                 "/^style/si" =>
                 "/^style/si" =>
                     Array(
                     Array(
                           Array(
                           Array(
-                                "/expression\s*:/si",
+                                "/expression/si",
+				"/binding/si",
+				"/behaviou*r/si",
                                 "|url\(([\'\"])\s*\.\./.*([\'\"])\)|si",
                                 "|url\(([\'\"])\s*\.\./.*([\'\"])\)|si",
                                 "/url\(([\'\"])\s*\S+script:.*([\'\"])\)/si"
                                 "/url\(([\'\"])\s*\S+script:.*([\'\"])\)/si"
                                ),
                                ),
                           Array(
                           Array(
-                                "idiocy:",
+                                "idiocy",
+				"idiocy",
+				"idiocy",
                                 "url(\\1$secremoveimg\\2)",
                                 "url(\\1$secremoveimg\\2)",
                                 "url(\\1$secremoveimg\\2)"
                                 "url(\\1$secremoveimg\\2)"
                                )
                                )