diff options
| author | Nils Adermann <naderman@naderman.de> | 2010-11-20 17:55:56 +0100 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2010-11-20 17:55:56 +0100 |
| commit | d2778e67eaff5453042e6fd851b7d678141be58d (patch) | |
| tree | fd2b892f29eaa61038ab418b0abb3d473cbeb5a6 /phpBB | |
| parent | fbca4e9c7b2f723dde8e0034b7f5fedc9d0c8483 (diff) | |
| parent | af4c2a3eb15fc4318b23dcb7794c230cf3ec2a0f (diff) | |
| download | forums-d2778e67eaff5453042e6fd851b7d678141be58d.tar forums-d2778e67eaff5453042e6fd851b7d678141be58d.tar.gz forums-d2778e67eaff5453042e6fd851b7d678141be58d.tar.bz2 forums-d2778e67eaff5453042e6fd851b7d678141be58d.tar.xz forums-d2778e67eaff5453042e6fd851b7d678141be58d.zip | |
Merge branch 'prep-release-3.0.8' into develop-olympus
* prep-release-3.0.8:
[prep-release-3.0.8] Incrementing version number to 3.0.8 and update changelog
[ticket/9903] Script for detecting potentially malicious flash bbcodes
[ticket/9904] Update WebPI Parameters.xml to work with WebMatrix.
[ticket/9903] Fix XSS in BBcode-parser's Flash-BBcode.
Conflicts:
phpBB/includes/constants.php
phpBB/install/database_update.php
phpBB/install/schemas/schema_data.sql
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/develop/check_flash_bbcodes.php | 163 | ||||
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 12 | ||||
| -rw-r--r-- | phpBB/includes/constants.php | 2 | ||||
| -rw-r--r-- | phpBB/includes/message_parser.php | 9 | ||||
| -rw-r--r-- | phpBB/install/database_update.php | 8 |
5 files changed, 192 insertions, 2 deletions
diff --git a/phpBB/develop/check_flash_bbcodes.php b/phpBB/develop/check_flash_bbcodes.php new file mode 100644 index 0000000000..b0fa399209 --- /dev/null +++ b/phpBB/develop/check_flash_bbcodes.php @@ -0,0 +1,163 @@ +<?php +/** +* +* @package phpBB3 +* @version $Id$ +* @copyright (c) 2009, 2010 phpBB Group +* @license http://opensource.org/licenses/gpl-license.php GNU Public License +* +*/ + +/** +* This script will check your database for potentially dangerous flash BBCode tags +*/ + +// +// Security message: +// +// This script is potentially dangerous. +// Remove or comment the next line (die(".... ) to enable this script. +// Do NOT FORGET to either remove this script or disable it after you have used it. +// +die("Please read the first lines of this script for instructions on how to enable it\n"); + +/** +*/ +define('IN_PHPBB', true); +$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './'; +$phpEx = substr(strrchr(__FILE__, '.'), 1); +include($phpbb_root_path . 'common.' . $phpEx); + +if (php_sapi_name() != 'cli') +{ + header('Content-Type: text/plain'); +} + +check_table_flash_bbcodes(POSTS_TABLE, 'post_id', 'post_text', 'bbcode_uid', 'bbcode_bitfield'); +check_table_flash_bbcodes(PRIVMSGS_TABLE, 'msg_id', 'message_text', 'bbcode_uid', 'bbcode_bitfield'); +check_table_flash_bbcodes(USERS_TABLE, 'user_id', 'user_sig', 'user_sig_bbcode_uid', 'user_sig_bbcode_bitfield'); +check_table_flash_bbcodes(FORUMS_TABLE, 'forum_id', 'forum_desc', 'forum_desc_uid', 'forum_desc_bitfield'); +check_table_flash_bbcodes(FORUMS_TABLE, 'forum_id', 'forum_rules', 'forum_rules_uid', 'forum_rules_bitfield'); +check_table_flash_bbcodes(GROUPS_TABLE, 'group_id', 'group_desc', 'group_desc_uid', 'group_desc_bitfield'); + +echo "If potentially dangerous flash bbcodes were found, please reparse the posts using the Support Toolkit (http://www.phpbb.com/support/stk/) and/or file a ticket in the Incident Tracker (http://www.phpbb.com/incidents/).\n"; + +function check_table_flash_bbcodes($table_name, $id_field, $content_field, $uid_field, $bitfield_field) +{ + echo "Checking $content_field on $table_name\n"; + + $ids = get_table_flash_bbcode_pkids($table_name, $id_field, $content_field, $uid_field, $bitfield_field); + + $size = sizeof($ids); + if ($size) + { + echo "Found $size potentially dangerous flash bbcodes.\n"; + echo "$id_field: " . implode(', ', $ids) . "\n"; + } + else + { + echo "No potentially dangerous flash bbcodes found.\n"; + } + + echo "\n"; +} + +function get_table_flash_bbcode_pkids($table_name, $id_field, $content_field, $uid_field, $bitfield_field) +{ + global $db; + + $ids = array(); + + $sql = "SELECT $id_field, $content_field, $uid_field, $bitfield_field + FROM $table_name + WHERE $content_field LIKE '%[/flash:%' + AND $bitfield_field <> ''"; + + $result = $db->sql_query($sql); + while ($row = $db->sql_fetchrow($result)) + { + $uid = $row[$uid_field]; + + // thanks support toolkit + $content = html_entity_decode_utf8($row[$content_field]); + set_var($content, $content, 'string', true); + $content = utf8_normalize_nfc($content); + + $bitfield_data = $row[$bitfield_field]; + + if (!is_valid_flash_bbcode($content, $uid) && has_flash_enabled($bitfield_data)) + { + $ids[] = (int) $row[$id_field]; + } + } + $db->sql_freeresult($result); + + return $ids; +} + +function get_flash_regex($uid) +{ + return "#\[flash=([0-9]+),([0-9]+):$uid\](.*?)\[/flash:$uid\]#"; +} + +// extract all valid flash bbcodes +// check if the bbcode content is a valid URL for each match +function is_valid_flash_bbcode($cleaned_content, $uid) +{ + $regex = get_flash_regex($uid); + + $url_regex = get_preg_expression('url'); + $www_url_regex = get_preg_expression('www_url'); + + if (preg_match_all($regex, $cleaned_content, $matches)) + { + foreach ($matches[3] as $flash_url) + { + if (!preg_match("#^($url_regex|$www_url_regex)$#i", $flash_url)) + { + return false; + } + } + } + + return true; +} + +// check if a bitfield includes flash +// 11 = flash bit +function has_flash_enabled($bitfield_data) +{ + $bitfield = new bitfield($bitfield_data); + return $bitfield->get(11); +} + +// taken from support toolkit +function html_entity_decode_utf8($string) +{ + static $trans_tbl; + + // replace numeric entities + $string = preg_replace('~&#x([0-9a-f]+);~ei', 'code2utf8(hexdec("\\1"))', $string); + $string = preg_replace('~&#([0-9]+);~e', 'code2utf8(\\1)', $string); + + // replace literal entities + if (!isset($trans_tbl)) + { + $trans_tbl = array(); + + foreach (get_html_translation_table(HTML_ENTITIES) as $val=>$key) + $trans_tbl[$key] = utf8_encode($val); + } + return strtr($string, $trans_tbl); +} + +// taken from support toolkit +// Returns the utf string corresponding to the unicode value (from php.net, courtesy - romans@void.lv) +function code2utf8($num) +{ + if ($num < 128) return chr($num); + if ($num < 2048) return chr(($num >> 6) + 192) . chr(($num & 63) + 128); + if ($num < 65536) return chr(($num >> 12) + 224) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); + if ($num < 2097152) return chr(($num >> 18) + 240) . chr((($num >> 12) & 63) + 128) . chr((($num >> 6) & 63) + 128) . chr(($num & 63) + 128); + return ''; +} diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index f5d6da94b9..66915b18fa 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -90,6 +90,12 @@ <div class="content"> <a name="v307-PL1"></a><h3>1.i. Changes since 3.0.7-PL1</h3> +<h4> Security +</h4> +<ul> +<li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9903'>PHPBB3-9903</a>] - Execute javascript in [flash=] BBCode +</li> +</ul> <h4> Bug </h4> @@ -404,6 +410,8 @@ </li> <li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9891'>PHPBB3-9891</a>] - Updater drops language-selection after database-update </li> +<li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9509'>PHPBB3-9509</a>] - phpBB Coding Guidelines state subversion as the version control system for phpBB +</li> </ul> <h4> Improvement @@ -467,6 +475,8 @@ </li> <li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9880'>PHPBB3-9880</a>] - Rename all mentions of CAPTCHA or visual confirmation to anti-bot </li> +<li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9899'>PHPBB3-9899</a>] - Change the style in the ACP for the recaptcha to match that displayed on prosilver +</li> </ul> <h4> New Feature @@ -509,6 +519,8 @@ </li> <li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9868'>PHPBB3-9868</a>] - Make the test suite run and pass using the mssqlnative driver </li> +<li>[<a href='http://tracker.phpbb.com/browse/PHPBB3-9904'>PHPBB3-9904</a>] - Update WebPI Parameters.xml +</li> </ul> <h4> Sub-task diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 2b19aa185d..90440f74b8 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -275,4 +275,4 @@ define('ZEBRA_TABLE', $table_prefix . 'zebra'); // Additional tables -?>
\ No newline at end of file +?> diff --git a/phpBB/includes/message_parser.php b/phpBB/includes/message_parser.php index 952b55cc8c..b2d0b6c566 100644 --- a/phpBB/includes/message_parser.php +++ b/phpBB/includes/message_parser.php @@ -352,6 +352,15 @@ class bbcode_firstpass extends bbcode return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]'; } + $in = str_replace(' ', '%20', $in); + + // Make sure $in is a URL. + if (!preg_match('#^' . get_preg_expression('url') . '$#i', $in) && + !preg_match('#^' . get_preg_expression('www_url') . '$#i', $in)) + { + return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]'; + } + // Apply the same size checks on flash files as on images if ($config['max_' . $this->mode . '_img_height'] || $config['max_' . $this->mode . '_img_width']) { diff --git a/phpBB/install/database_update.php b/phpBB/install/database_update.php index 8d1755f8a6..10308826e0 100644 --- a/phpBB/install/database_update.php +++ b/phpBB/install/database_update.php @@ -914,6 +914,8 @@ function database_update_info() '3.0.7' => array(), // No changes from 3.0.7-PL1 to 3.0.8-RC1 '3.0.7-PL1' => array(), + // No changes from 3.0.8-RC1 to 3.0.8 + '3.0.8-RC1' => array(), ); } @@ -1852,6 +1854,10 @@ function change_database_data(&$no_updates, $version) $no_updates = false; break; + + // No changes from 3.0.8-RC1 to 3.0.8 + case '3.0.8-RC1': + break; } } @@ -3797,4 +3803,4 @@ class updater_db_tools } } -?>
\ No newline at end of file +?> |