diff options
| author | Florian Pritz <bluewind@xinu.at> | 2018-03-23 14:24:06 +0100 |
|---|---|---|
| committer | Florian Pritz <bluewind@xinu.at> | 2018-03-23 14:24:06 +0100 |
| commit | d0f6e6ab2e1dbb968a0ef0021f0b9cd64313863b (patch) | |
| tree | a8cd95ddf85c9a852f522eae14dda0de4151d38b /system/core/Security.php | |
| parent | 006cf0764295d37daa597f4ea9cf31abb75d1b68 (diff) | |
| parent | 71e647782764184e3aab4faffe6d99176758979f (diff) | |
Merge tag 'ci-upstream/3.1.8' into dev
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'system/core/Security.php')
| -rw-r--r-- | system/core/Security.php | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 6cdce5d98..31926b466 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -134,7 +134,9 @@ class CI_Security { */ protected $_never_allowed_str = array( 'document.cookie' => '[removed]', + '(document).cookie' => '[removed]', 'document.write' => '[removed]', + '(document).write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', '-moz-binding' => '[removed]', @@ -152,7 +154,7 @@ class CI_Security { */ protected $_never_allowed_regex = array( 'javascript\s*:', - '(document|(document\.)?window)\.(location|on\w*)', + '(\(?document\)?|\(?window\)?(\.document)?)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! 'wscript\s*:', // IE @@ -542,6 +544,14 @@ class CI_Security { $str ); + // Same thing, but for "tag functions" (e.g. eval`some code`) + // See https://github.com/bcit-ci/CodeIgniter/issues/5420 + $str = preg_replace( + '#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)`(.*?)`#si', + '\\1\\2`\\3`', + $str + ); + // Final clean up // This adds a bit of extra precaution in case // something got through the above filters @@ -853,7 +863,7 @@ class CI_Security { // For other tags, see if their attributes are "evil" and strip those elseif (isset($matches['attributes'])) { - // We'll store the already fitlered attributes here + // We'll store the already filtered attributes here $attributes = array(); // Attribute-catching pattern @@ -927,7 +937,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si', + '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si', '', $this->_filter_attributes($match[1]) ), @@ -955,7 +965,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si', + '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si', '', $this->_filter_attributes($match[1]) ), |