Fixed XSS vulnerability relating to rewrite_hash

This commit is contained in:
Christopher Pitt 2015-03-20 18:17:51 +13:00 committed by Damian Mooyman
parent 11521fb92d
commit bdef4fc7a5
4 changed files with 30 additions and 9 deletions

View File

@ -909,7 +909,9 @@ after')
public function testRewriteHashlinks() { public function testRewriteHashlinks() {
$oldRewriteHashLinks = SSViewer::getOption('rewriteHashlinks'); $oldRewriteHashLinks = SSViewer::getOption('rewriteHashlinks');
SSViewer::setOption('rewriteHashlinks', true); SSViewer::setOption('rewriteHashlinks', true);
$_SERVER['REQUEST_URI'] = 'http://path/to/file?foo"onclick="alert(\'xss\')""';
// Emulate SSViewer::process() // Emulate SSViewer::process()
$base = Convert::raw2att($_SERVER['REQUEST_URI']); $base = Convert::raw2att($_SERVER['REQUEST_URI']);
@ -920,23 +922,40 @@ after')
<html> <html>
<head><% base_tag %></head> <head><% base_tag %></head>
<body> <body>
<a class="external-inline" href="http://google.com#anchor">ExternalInlineLink</a>
$ExternalInsertedLink
<a class="inline" href="#anchor">InlineLink</a> <a class="inline" href="#anchor">InlineLink</a>
$InsertedLink $InsertedLink
<svg><use xlink:href="#sprite"></use></svg>
<body> <body>
</html>'); </html>');
$tmpl = new SSViewer($tmplFile); $tmpl = new SSViewer($tmplFile);
$obj = new ViewableData(); $obj = new ViewableData();
$obj->InsertedLink = '<a class="inserted" href="#anchor">InsertedLink</a>'; $obj->InsertedLink = '<a class="inserted" href="#anchor">InsertedLink</a>';
$obj->ExternalInsertedLink = '<a class="external-inserted" href="http://google.com#anchor">ExternalInsertedLink</a>';
$result = $tmpl->process($obj); $result = $tmpl->process($obj);
$this->assertContains( $this->assertContains(
'<a class="inserted" href="' . $base . '#anchor">InsertedLink</a>', '<a class="inserted" href="' . $base . '#anchor">InsertedLink</a>',
$result $result
); );
$this->assertContains(
'<a class="external-inserted" href="http://google.com#anchor">ExternalInsertedLink</a>',
$result
);
$this->assertContains( $this->assertContains(
'<a class="inline" href="' . $base . '#anchor">InlineLink</a>', '<a class="inline" href="' . $base . '#anchor">InlineLink</a>',
$result $result
); );
$this->assertContains(
'<a class="external-inline" href="http://google.com#anchor">ExternalInlineLink</a>',
$result
);
$this->assertContains(
'<svg><use xlink:href="#sprite"></use></svg>',
$result,
'SSTemplateParser should only rewrite anchor hrefs'
);
unlink($tmplFile); unlink($tmplFile);
SSViewer::setOption('rewriteHashlinks', $oldRewriteHashLinks); SSViewer::setOption('rewriteHashlinks', $oldRewriteHashLinks);
@ -962,7 +981,7 @@ after')
$obj->InsertedLink = '<a class="inserted" href="#anchor">InsertedLink</a>'; $obj->InsertedLink = '<a class="inserted" href="#anchor">InsertedLink</a>';
$result = $tmpl->process($obj); $result = $tmpl->process($obj);
$this->assertContains( $this->assertContains(
'<a class="inserted" href="<?php echo strip_tags(', '<a class="inserted" href="<?php echo Convert::raw2att(',
$result $result
); );
// TODO Fix inline links in PHP mode // TODO Fix inline links in PHP mode

View File

@ -4471,8 +4471,9 @@ class SSTemplateParser extends Parser {
// TODO: This is pretty ugly & gets applied on all files not just html. I wonder if we can make this // TODO: This is pretty ugly & gets applied on all files not just html. I wonder if we can make this
// non-dynamically calculated // non-dynamically calculated
$text = preg_replace( $text = preg_replace(
'/href\s*\=\s*\"\#/', '/(<a[^>]+href *= *)"#/i',
'href="\' . (SSViewer::$options[\'rewriteHashlinks\'] ? strip_tags( $_SERVER[\'REQUEST_URI\'] ) : "") . '\\1"\' . (SSViewer::$options[\'rewriteHashlinks\'] ?' .
' Convert::raw2att( $_SERVER[\'REQUEST_URI\'] ) : "") .
\'#', \'#',
$text $text
); );

View File

@ -1005,8 +1005,9 @@ class SSTemplateParser extends Parser {
// TODO: This is pretty ugly & gets applied on all files not just html. I wonder if we can make this // TODO: This is pretty ugly & gets applied on all files not just html. I wonder if we can make this
// non-dynamically calculated // non-dynamically calculated
$text = preg_replace( $text = preg_replace(
'/href\s*\=\s*\"\#/', '/(<a[^>]+href *= *)"#/i',
'href="\' . (SSViewer::$options[\'rewriteHashlinks\'] ? strip_tags( $_SERVER[\'REQUEST_URI\'] ) : "") . '\\1"\' . (SSViewer::$options[\'rewriteHashlinks\'] ?' .
' Convert::raw2att( $_SERVER[\'REQUEST_URI\'] ) : "") .
\'#', \'#',
$text $text
); );

View File

@ -928,9 +928,9 @@ class SSViewer {
if($this->rewriteHashlinks && self::$options['rewriteHashlinks']) { if($this->rewriteHashlinks && self::$options['rewriteHashlinks']) {
if(strpos($output, '<base') !== false) { if(strpos($output, '<base') !== false) {
if(SSViewer::$options['rewriteHashlinks'] === 'php') { if(SSViewer::$options['rewriteHashlinks'] === 'php') {
$thisURLRelativeToBase = "<?php echo strip_tags(\$_SERVER['REQUEST_URI']); ?>"; $thisURLRelativeToBase = "<?php echo Convert::raw2att(\$_SERVER['REQUEST_URI']); ?>";
} else { } else {
$thisURLRelativeToBase = strip_tags($_SERVER['REQUEST_URI']); $thisURLRelativeToBase = Convert::raw2att($_SERVER['REQUEST_URI']);
} }
$output = preg_replace('/(<a[^>]+href *= *)"#/i', '\\1"' . $thisURLRelativeToBase . '#', $output); $output = preg_replace('/(<a[^>]+href *= *)"#/i', '\\1"' . $thisURLRelativeToBase . '#', $output);