From f2d3879da419624a817b247efac73bad27887498 Mon Sep 17 00:00:00 2001 From: Nathan Guse Date: Sun, 9 Mar 2014 11:26:06 -0500 Subject: [ticket/12202] Apply htmlspecialchars to style.cfg data PHPBB3-12202 --- phpBB/includes/functions.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index eef4ade4e7..81a7dc5cbd 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3367,8 +3367,8 @@ function parse_cfg_file($filename, $lines = false) } // Determine first occurrence, since in values the equal sign is allowed - $key = strtolower(trim(substr($line, 0, $delim_pos))); - $value = trim(substr($line, $delim_pos + 1)); + $key = htmlspecialchars(strtolower(trim(substr($line, 0, $delim_pos)))); + $value = htmlspecialchars(trim(substr($line, $delim_pos + 1))); if (in_array($value, array('off', 'false', '0'))) { @@ -3384,7 +3384,7 @@ function parse_cfg_file($filename, $lines = false) } else if (($value[0] == "'" && $value[sizeof($value) - 1] == "'") || ($value[0] == '"' && $value[sizeof($value) - 1] == '"')) { - $value = substr($value, 1, sizeof($value)-2); + $value = htmlspecialchars(substr($value, 1, sizeof($value)-2)); } $parsed_items[$key] = $value; -- cgit v1.2.1 From f3d8dfd1e32fd0c58b601d8a7131fa959bff7b53 Mon Sep 17 00:00:00 2001 From: Nathaniel Guse Date: Sun, 9 Mar 2014 17:17:33 -0500 Subject: [ticket/12202] Can't call htmlspecialchars before checking for quotes PHPBB3-12202 --- phpBB/includes/functions.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 81a7dc5cbd..f0657b9016 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3368,7 +3368,7 @@ function parse_cfg_file($filename, $lines = false) // Determine first occurrence, since in values the equal sign is allowed $key = htmlspecialchars(strtolower(trim(substr($line, 0, $delim_pos)))); - $value = htmlspecialchars(trim(substr($line, $delim_pos + 1))); + $value = trim(substr($line, $delim_pos + 1)); if (in_array($value, array('off', 'false', '0'))) { @@ -3386,6 +3386,10 @@ function parse_cfg_file($filename, $lines = false) { $value = htmlspecialchars(substr($value, 1, sizeof($value)-2)); } + else + { + $value = htmlspecialchars($value); + } $parsed_items[$key] = $value; } -- cgit v1.2.1 From eed355b798ec77ed8b67555087fc5866b522c5fc Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 10 Apr 2015 18:02:58 +0200 Subject: [ticket/security-180] Check if redirect URL contains board URL SECURITY-180 --- phpBB/includes/functions.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f0657b9016..f79a0a9e52 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2579,6 +2579,12 @@ function redirect($url, $return = false, $disable_cd_check = false) } } + // Make sure we don't redirect to external URLs + if (!$disable_cd_check && strpos($url, generate_board_url(true)) !== 0) + { + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); + } + // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false) { -- cgit v1.2.1 From bca1b96b2e9235bbb4a3e7a104dd79e7f3761679 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 11 Apr 2015 16:41:20 +0200 Subject: [ticket/security-180] Make sure that redirect goes to full URL plus slash SECURITY-180 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f79a0a9e52..a6a98954de 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2580,7 +2580,7 @@ function redirect($url, $return = false, $disable_cd_check = false) } // Make sure we don't redirect to external URLs - if (!$disable_cd_check && strpos($url, generate_board_url(true)) !== 0) + if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) { trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); } -- cgit v1.2.1 From ee658bfe7bd284573d199c3c2a76007c5509695d Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Sat, 11 Apr 2015 17:08:28 +0200 Subject: [ticket/security-180] Always fail when redirecting to an insecure URL SECURITY-180 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index a6a98954de..f2bc63cf23 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2492,7 +2492,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - $url = generate_board_url(); + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); } } else if ($url[0] == '/') -- cgit v1.2.1 From 463c62df1847a3791fb7ec23b72c2f72bed12938 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Sat, 11 Apr 2015 17:43:06 +0200 Subject: [ticket/13765] Verify SERVER_PROTOCOL has the expected format before using it. PHPBB3-13765 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'phpBB/includes/functions.php') diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index f0657b9016..4ae6e7a018 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2782,7 +2782,7 @@ function send_status_line($code, $message) } else { - if (!empty($_SERVER['SERVER_PROTOCOL'])) + if (!empty($_SERVER['SERVER_PROTOCOL']) && is_string($_SERVER['SERVER_PROTOCOL']) && preg_match('#^HTTP/[0-9]\.[0-9]$#', $_SERVER['SERVER_PROTOCOL'])) { $version = $_SERVER['SERVER_PROTOCOL']; } -- cgit v1.2.1