summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2018-03-23 14:24:06 +0100
committerFlorian Pritz <bluewind@xinu.at>2018-03-23 14:24:06 +0100
commitd0f6e6ab2e1dbb968a0ef0021f0b9cd64313863b (patch)
treea8cd95ddf85c9a852f522eae14dda0de4151d38b /system/core/Security.php
parent006cf0764295d37daa597f4ea9cf31abb75d1b68 (diff)
parent71e647782764184e3aab4faffe6d99176758979f (diff)
Merge tag 'ci-upstream/3.1.8' into dev
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Diffstat (limited to 'system/core/Security.php')
-rw-r--r--system/core/Security.php18
1 files changed, 14 insertions, 4 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 6cdce5d98..31926b466 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -134,7 +134,9 @@ class CI_Security {
*/
protected $_never_allowed_str = array(
'document.cookie' => '[removed]',
+ '(document).cookie' => '[removed]',
'document.write' => '[removed]',
+ '(document).write' => '[removed]',
'.parentNode' => '[removed]',
'.innerHTML' => '[removed]',
'-moz-binding' => '[removed]',
@@ -152,7 +154,7 @@ class CI_Security {
*/
protected $_never_allowed_regex = array(
'javascript\s*:',
- '(document|(document\.)?window)\.(location|on\w*)',
+ '(\(?document\)?|\(?window\)?(\.document)?)\.(location|on\w*)',
'expression\s*(\(|&\#40;)', // CSS and IE
'vbscript\s*:', // IE, surprise!
'wscript\s*:', // IE
@@ -542,6 +544,14 @@ class CI_Security {
$str
);
+ // Same thing, but for "tag functions" (e.g. eval`some code`)
+ // See https://github.com/bcit-ci/CodeIgniter/issues/5420
+ $str = preg_replace(
+ '#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)`(.*?)`#si',
+ '\\1\\2&#96;\\3&#96;',
+ $str
+ );
+
// Final clean up
// This adds a bit of extra precaution in case
// something got through the above filters
@@ -853,7 +863,7 @@ class CI_Security {
// For other tags, see if their attributes are "evil" and strip those
elseif (isset($matches['attributes']))
{
- // We'll store the already fitlered attributes here
+ // We'll store the already filtered attributes here
$attributes = array();
// Attribute-catching pattern
@@ -927,7 +937,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
- '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
+ '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
'',
$this->_filter_attributes($match[1])
),
@@ -955,7 +965,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
- '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
+ '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si',
'',
$this->_filter_attributes($match[1])
),