From 06ecd784cf4f8dd05636a1cb43e5c846e0088541 Mon Sep 17 00:00:00 2001 From: 8chan Date: Mon, 16 Feb 2015 16:15:15 -0800 Subject: [PATCH] SECURITY: Fix more cross-linking problems in ?/settings CSS --- inc/8chan-mod-pages.php | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/inc/8chan-mod-pages.php b/inc/8chan-mod-pages.php index 809013e1..18d720a0 100644 --- a/inc/8chan-mod-pages.php +++ b/inc/8chan-mod-pages.php @@ -543,8 +543,7 @@ EOT; // Clean up our CSS...no more expression() or off-site URLs. $clean_css = preg_replace('/expression\s*\(/', '', $_POST['css']); - // URL matcher from SO: - $match_urls = '(?xi)\b((?:https?://|www\d{0,3}[.]|[a-z0-9.\-]+[.][a-z]{2,4}/)(?:[^\s()<>]+|\(([^\s()<>]+|(\([^\s()<>]+\)))*\))+(?:\(([^\s()<>]+|(\([^\s()<>]+\)))*\)|[^\s`!()\[\]{};:\'".,<>?«»“”‘’]))'; + $match_urls = '((?:(?:https?:)?\/\/|ftp:\/\/|irc:\/\/)[^\s<>()"]+?(?:\([^\s<>()"]*?\)[^\s<>()"]*?)*)((?:\s|<|>|"|\.|\]|!|\?|,|&\#44;|")*(?:[\s<>()"]|$))'; $matched = array(); @@ -554,7 +553,7 @@ EOT; foreach ($matched[0] as $match) { $match_okay = false; foreach ($allowed_urls as $allowed_url) { - if (strpos($match, $allowed_url) !== false) { + if (strpos($match, $allowed_url) !== false && strpos($match, '#') === false) { $match_okay = true; } } @@ -565,10 +564,9 @@ EOT; } //Filter out imports from sites with potentially unsafe content - $css_no_comments = preg_replace('|\/\*.*\*\/|', '', $clean_css); //I can't figure out how to ignore comments in the match $match_imports = '@import[^;]*'; $matched = array(); - preg_match_all("#$match_imports#im", $css_no_comments, $matched); + preg_match_all("#$match_imports#im", $clean_css, $matched); $unsafe_import_urls = array('https://a.pomf.se/'); @@ -576,7 +574,7 @@ EOT; foreach ($matched[0] as $match) { $match_okay = true; foreach ($unsafe_import_urls as $unsafe_import_url) { - if (strpos($match, $unsafe_import_url) !== false) { + if (strpos($match, $unsafe_import_url) !== false && strpos($match, '#') === false) { $match_okay = false; } }