From a30a717e15895631cafe232b13777870a693742d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 10 Feb 2014 09:17:25 +0200 Subject: CI_Security: Filter jscript, wscript, vbs, confirm, prompt the same way as javascript, alert --- system/core/Security.php | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index cbff38b30..93e6a3ba5 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -147,6 +147,9 @@ class CI_Security { '(document|(document\.)?window)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! + 'wscript\s*:', // IE + 'jcript\s*:', // IE + 'vbs\s*:', // IE 'Redirect\s+30\d', "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); @@ -415,8 +418,9 @@ class CI_Security { * These words are compacted back to their correct state. */ $words = array( - 'javascript', 'expression', 'vbscript', 'script', 'base64', - 'applet', 'alert', 'document', 'write', 'cookie', 'window' + 'javascript', 'expression', 'vbscript', 'jscript', 'wscript', + 'vbs', 'script', 'base64', 'applet', 'alert', 'document', + 'write', 'cookie', 'window', 'confirm', 'prompt' ); foreach ($words as $word) @@ -475,7 +479,7 @@ class CI_Security { * So this: * Becomes: <blink> */ - $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss'; + $naughty = 'alert|prompt|confirm|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss'; $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); /* @@ -490,7 +494,7 @@ class CI_Security { * For example: eval('some code') * Becomes: eval('some code') */ - $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', + $str = preg_replace('#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', '\\1\\2(\\3)', $str); @@ -745,7 +749,7 @@ class CI_Security { protected function _js_link_removal($match) { return str_replace($match[1], - preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), @@ -770,7 +774,7 @@ class CI_Security { protected function _js_img_removal($match) { return str_replace($match[1], - preg_replace('#src=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes(str_replace(array('<', '>'), '', $match[1])) ), -- cgit v1.2.3-24-g4f1b From 3b9990c43f0951674b1c8bc1dd05ac0419f1e63c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 10 Feb 2014 09:23:26 +0200 Subject: CI_Security: Expect a backslash as a tag separator --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 93e6a3ba5..062c828a7 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -450,12 +450,12 @@ class CI_Security { if (preg_match('/]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); + $str = preg_replace_callback('#]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); } if (preg_match('/]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str); + $str = preg_replace_callback('#]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str); } if (preg_match('/script|xss/i', $str)) -- cgit v1.2.3-24-g4f1b From f7f9dca050eb439028797a62eb2d4cac89daf5c5 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 10 Feb 2014 12:41:00 +0200 Subject: [ci skip] Fix a typo --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 062c828a7..75c994ae1 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -148,7 +148,7 @@ class CI_Security { 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! 'wscript\s*:', // IE - 'jcript\s*:', // IE + 'jscript\s*:', // IE 'vbs\s*:', // IE 'Redirect\s+30\d', "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" -- cgit v1.2.3-24-g4f1b From 29e12641a1bb952f493462db6757ae12c7da1f2c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 10 Feb 2014 13:24:44 +0200 Subject: CI_Security: URL-decode until possible --- system/core/Security.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 75c994ae1..beb7f56e0 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -359,7 +359,11 @@ class CI_Security { * * Note: Use rawurldecode() so it does not remove plus signs */ - $str = rawurldecode($str); + do + { + $str = rawurldecode($str); + } + while (preg_match('/%[0-9a-f]{2,}/i', $str)); /* * Convert character entities to ASCII -- cgit v1.2.3-24-g4f1b