aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB
diff options
context:
space:
mode:
authorNils Adermann <naderman@naderman.de>2010-11-19 11:33:14 +0100
committerNils Adermann <naderman@naderman.de>2010-11-19 11:33:14 +0100
commit2831a3a9a97c1ee8b714c8034c64379eff90faa0 (patch)
tree403bc050aff21699f0d9e3781212fce7d1dd8467 /phpBB
parentbce138ca14ed2c0a461ba9598464b3db91dc37ab (diff)
parent49b639dd953746bdd6f77644e471b09545960f8a (diff)
downloadforums-2831a3a9a97c1ee8b714c8034c64379eff90faa0.tar
forums-2831a3a9a97c1ee8b714c8034c64379eff90faa0.tar.gz
forums-2831a3a9a97c1ee8b714c8034c64379eff90faa0.tar.bz2
forums-2831a3a9a97c1ee8b714c8034c64379eff90faa0.tar.xz
forums-2831a3a9a97c1ee8b714c8034c64379eff90faa0.zip
Merge branch 'ticket/9903' into prep-release-3.0.8
* ticket/9903: [ticket/9903] Script for detecting potentially malicious flash bbcodes [ticket/9903] Fix XSS in BBcode-parser's Flash-BBcode.
Diffstat (limited to 'phpBB')
-rw-r--r--phpBB/develop/check_flash_bbcodes.php163
-rw-r--r--phpBB/includes/message_parser.php9
2 files changed, 172 insertions, 0 deletions
diff --git a/phpBB/develop/check_flash_bbcodes.php b/phpBB/develop/check_flash_bbcodes.php
new file mode 100644
index 0000000000..b0fa399209
--- /dev/null
+++ b/phpBB/develop/check_flash_bbcodes.php
@@ -0,0 +1,163 @@
+<?php
+/**
+*
+* @package phpBB3
+* @version $Id$
+* @copyright (c) 2009, 2010 phpBB Group
+* @license http://opensource.org/licenses/gpl-license.php GNU Public License
+*
+*/
+
+/**
+* This script will check your database for potentially dangerous flash BBCode tags
+*/
+
+//
+// Security message:
+//
+// This script is potentially dangerous.
+// Remove or comment the next line (die(".... ) to enable this script.
+// Do NOT FORGET to either remove this script or disable it after you have used it.
+//
+die("Please read the first lines of this script for instructions on how to enable it\n");
+
+/**
+*/
+define('IN_PHPBB', true);
+$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './';
+$phpEx = substr(strrchr(__FILE__, '.'), 1);
+include($phpbb_root_path . 'common.' . $phpEx);
+
+if (php_sapi_name() != 'cli')
+{
+ header('Content-Type: text/plain');
+}
+
+check_table_flash_bbcodes(POSTS_TABLE, 'post_id', 'post_text', 'bbcode_uid', 'bbcode_bitfield');
+check_table_flash_bbcodes(PRIVMSGS_TABLE, 'msg_id', 'message_text', 'bbcode_uid', 'bbcode_bitfield');
+check_table_flash_bbcodes(USERS_TABLE, 'user_id', 'user_sig', 'user_sig_bbcode_uid', 'user_sig_bbcode_bitfield');
+check_table_flash_bbcodes(FORUMS_TABLE, 'forum_id', 'forum_desc', 'forum_desc_uid', 'forum_desc_bitfield');
+check_table_flash_bbcodes(FORUMS_TABLE, 'forum_id', 'forum_rules', 'forum_rules_uid', 'forum_rules_bitfield');
+check_table_flash_bbcodes(GROUPS_TABLE, 'group_id', 'group_desc', 'group_desc_uid', 'group_desc_bitfield');
+
+echo "If potentially dangerous flash bbcodes were found, please reparse the posts using the Support Toolkit (http://www.phpbb.com/support/stk/) and/or file a ticket in the Incident Tracker (http://www.phpbb.com/incidents/).\n";
+
+function check_table_flash_bbcodes($table_name, $id_field, $content_field, $uid_field, $bitfield_field)
+{
+ echo "Checking $content_field on $table_name\n";
+
+ $ids = get_table_flash_bbcode_pkids($table_name, $id_field, $content_field, $uid_field, $bitfield_field);
+
+ $size = sizeof($ids);
+ if ($size)
+ {
+ echo "Found $size potentially dangerous flash bbcodes.\n";
+ echo "$id_field: " . implode(', ', $ids) . "\n";
+ }
+ else
+ {
+ echo "No potentially dangerous flash bbcodes found.\n";
+ }
+
+ echo "\n";
+}
+
+function get_table_flash_bbcode_pkids($table_name, $id_field, $content_field, $uid_field, $bitfield_field)
+{
+ global $db;
+
+ $ids = array();
+
+ $sql = "SELECT $id_field, $content_field, $uid_field, $bitfield_field
+ FROM $table_name
+ WHERE $content_field LIKE '%[/flash:%'
+ AND $bitfield_field <> ''";
+
+ $result = $db->sql_query($sql);
+ while ($row = $db->sql_fetchrow($result))
+ {
+ $uid = $row[$uid_field];
+
+ // thanks support toolkit
+ $content = html_entity_decode_utf8($row[$content_field]);
+ set_var($content, $content, 'string', true);
+ $content = utf8_normalize_nfc($content);
+
+ $bitfield_data = $row[$bitfield_field];
+
+ if (!is_valid_flash_bbcode($content, $uid) && has_flash_enabled($bitfield_data))
+ {
+ $ids[] = (int) $row[$id_field];
+ }
+ }
+ $db->sql_freeresult($result);
+
+ return $ids;
+}
+
+function get_flash_regex($uid)
+{
+ return "#\[flash=([0-9]+),([0-9]+):$uid\](.*?)\[/flash:$uid\]#";
+}
+
+// extract all valid flash bbcodes
+// check if the bbcode content is a valid URL for each match
+function is_valid_flash_bbcode($cleaned_content, $uid)
+{
+ $regex = get_flash_regex($uid);
+
+ $url_regex = get_preg_expression('url');
+ $www_url_regex = get_preg_expression('www_url');
+
+ if (preg_match_all($regex, $cleaned_content, $matches))
+ {
+ foreach ($matches[3] as $flash_url)
+ {
+ if (!preg_match("#^($url_regex|$www_url_regex)$#i", $flash_url))
+ {
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
+// check if a bitfield includes flash
+// 11 = flash bit
+function has_flash_enabled($bitfield_data)
+{
+ $bitfield = new bitfield($bitfield_data);
+ return $bitfield->get(11);
+}
+
+// taken from support toolkit
+function html_entity_decode_utf8($string)
+{
+ static $trans_tbl;
+
+ // replace numeric entities
+ $string = preg_replace('~&#x([0-9a-f]+);~ei', 'code2utf8(hexdec("\\1"))', $string);
+ $string = preg_replace('~&#([0-9]+);~e', 'code2utf8(\\1)', $string);
+
+ // replace literal entities
+ if (!isset($trans_tbl))
+ {
+ $trans_tbl = array();
+
+ foreach (get_html_translation_table(HTML_ENTITIES) as $val=>$key)
+ $trans_tbl[$key] = utf8_encode($val);
+ }
+ return strtr($string, $trans_tbl);
+}
+
+// taken from support toolkit
+// Returns the utf string corresponding to the unicode value (from php.net, courtesy - romans@void.lv)
+function code2utf8($num)
+{
+ if ($num < 128) return chr($num);
+ if ($num < 2048) return chr(($num >> 6) + 192) . chr(($num & 63) + 128);
+ if ($num < 65536) return chr(($num >> 12) + 224) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128);
+ if ($num < 2097152) return chr(($num >> 18) + 240) . chr((($num >> 12) & 63) + 128) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128);
+ return '';
+}
diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php
index 952b55cc8c..b2d0b6c566 100644
--- a/phpBB/includes/message_parser.php
+++ b/phpBB/includes/message_parser.php
@@ -352,6 +352,15 @@ class bbcode_firstpass extends bbcode
return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';
}
+ $in = str_replace(' ', '%20', $in);
+
+ // Make sure $in is a URL.
+ if (!preg_match('#^' . get_preg_expression('url') . '$#i', $in) &&
+ !preg_match('#^' . get_preg_expression('www_url') . '$#i', $in))
+ {
+ return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';
+ }
+
// Apply the same size checks on flash files as on images
if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width'])
{