harmacist/vichan
1
0
Fork 0
forked from GithubBackups/vichan
Code Pull Requests Activity

SECURITY / XSS : ?/edit allowed arbitrary HTML to be added by any user thru addition of <tinyboard raw html>1</tinyboard>

Browse Source 
This allowed ANY user with ?/edit privilege to also have raw_html regardless of whether they had $config['mod']['rawhtml']

Now, any changes to <tinyboard> markup modifiers via ?/edit are not allowed. They are removed at read time, and before write they are removed again and the ones in the database (which should be clean...) are inserted instead.

Please immediately apply this patch to your instance if you are running any version of 8chan/infinity.
This commit is contained in:
8chan 2014-12-24 06:08:19 -08:00
parent 906611e7ac
commit 87e914948b
2 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
inc/functions.php
View File

@ -1707,6 +1707,10 @@ function extract_modifiers($body) {
return $modifiers; return $modifiers;
} }
function remove_modifiers($body) {
return preg_replace('@<tinyboard ([\w\s]+)>(.+?)</tinyboard>@usm', '', $body);
}
function markup(&$body, $track_cites = false, $op = false) { function markup(&$body, $track_cites = false, $op = false) {
global $board, $config, $markup_urls; global $board, $config, $markup_urls;

20
inc/mod/pages.php
View File

@ -1599,6 +1599,15 @@ function mod_edit_post($board, $edit_raw_html, $postID) {
error($config['error']['404']); error($config['error']['404']);
if (isset($_POST['name'], $_POST['email'], $_POST['subject'], $_POST['body'])) { if (isset($_POST['name'], $_POST['email'], $_POST['subject'], $_POST['body'])) {
// Remove any modifiers they may have put in
$_POST['body'] = remove_modifiers($_POST['body']);
// Add back modifiers in the original post
$modifiers = extract_modifiers($post['body_nomarkup']);
foreach ($modifiers as $key => $value) {
$_POST['body'] .= "<tinyboard $key>$value</tinyboard>";
}
if ($edit_raw_html) if ($edit_raw_html)
$query = prepare(sprintf('UPDATE ``posts_%s`` SET `name` = :name, `email` = :email, `subject` = :subject, `body` = :body, `body_nomarkup` = :body_nomarkup, `edited_at` = NOW() WHERE `id` = :id', $board)); $query = prepare(sprintf('UPDATE ``posts_%s`` SET `name` = :name, `email` = :email, `subject` = :subject, `body` = :body, `body_nomarkup` = :body_nomarkup, `edited_at` = NOW() WHERE `id` = :id', $board));
else else
@ -1656,15 +1665,20 @@ function mod_edit_post($board, $edit_raw_html, $postID) {
header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . sprintf($config['file_page'], $post['thread'] ? $post['thread'] : $postID) . '#' . $postID, true, $config['redirect_http']); header('Location: ?/' . sprintf($config['board_path'], $board) . $config['dir']['res'] . sprintf($config['file_page'], $post['thread'] ? $post['thread'] : $postID) . '#' . $postID, true, $config['redirect_http']);
} else { } else {
// Remove modifiers
$post['body_nomarkup'] = remove_modifiers($post['body_nomarkup']);
$post['body_nomarkup'] = utf8tohtml($post['body_nomarkup']);
$post['body'] = utf8tohtml($post['body']);
if ($config['minify_html']) { if ($config['minify_html']) {
$post['body_nomarkup'] = str_replace("\n", '&#010;', utf8tohtml($post['body_nomarkup'])); $post['body_nomarkup'] = str_replace("\n", '&#010;', $post['body_nomarkup']);
$post['body'] = str_replace("\n", '&#010;', utf8tohtml($post['body'])); $post['body'] = str_replace("\n", '&#010;', $post['body']);
$post['body_nomarkup'] = str_replace("\r", '', $post['body_nomarkup']); $post['body_nomarkup'] = str_replace("\r", '', $post['body_nomarkup']);
$post['body'] = str_replace("\r", '', $post['body']); $post['body'] = str_replace("\r", '', $post['body']);
$post['body_nomarkup'] = str_replace("\t", '&#09;', $post['body_nomarkup']); $post['body_nomarkup'] = str_replace("\t", '&#09;', $post['body_nomarkup']);
$post['body'] = str_replace("\t", '&#09;', $post['body']); $post['body'] = str_replace("\t", '&#09;', $post['body']);
} }
mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post)); mod_page(_('Edit post'), 'mod/edit_post_form.html', array('token' => $security_token, 'board' => $board, 'raw' => $edit_raw_html, 'post' => $post));
} }
} }