From 160c7d16c4e0c92c030c0a41d1223f916a82089d Mon Sep 17 00:00:00 2001 From: brian978 Date: Mon, 3 Dec 2012 21:18:20 +0200 Subject: Added small improvement to the _remove_evil_attributes function Signed-off-by: brian978 --- system/core/Security.php | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index c415544b6..4f2185db5 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -642,17 +642,16 @@ class CI_Security { $count = 0; $attribs = array(); - // find occurrences of illegal attribute strings without quotes - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); + // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { - $attribs[] = preg_quote($attr[0], '/'); } - // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); + // find occurrences of illegal attribute strings without quotes + preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { @@ -662,7 +661,7 @@ class CI_Security { // replace illegal attribute strings that are inside an html tag if (count($attribs) > 0) { - $str = preg_replace('/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><])([><]*)/i', '<$1 $3$5$6$7', $str, -1, $count); + $str = preg_replace('/(<]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><]?)([><]*)/i', '$1$2 $4$6$7$8', $str, -1, $count); } } while ($count); -- cgit v1.2.3-24-g4f1b From f50fc73cf63136b720c2bd247175f236d5b27eaa Mon Sep 17 00:00:00 2001 From: brian978 Date: Sat, 8 Dec 2012 23:22:26 +0200 Subject: All the HEX code must be replaced or else some XSS attacks can be successful --- system/core/Security.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 4f2185db5..220188edc 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -526,9 +526,17 @@ class CI_Security { $charset = config_item('charset'); } - $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); - return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); + do + { + $matches = $matches1 = 0; + + $str = html_entity_decode($str, ENT_COMPAT, $charset); + $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); + $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); + } + while($matches || $matches1); + + return $str; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 0a83fcc748ef29e644bf9e8cac4d7dd9a7408d5f Mon Sep 17 00:00:00 2001 From: brian978 Date: Mon, 10 Dec 2012 13:05:06 +0200 Subject: Fixed bug with regexp that matched tags --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 220188edc..635f9ff31 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -329,7 +329,7 @@ class CI_Security { * these are the ones that will pose security problems. */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback('/<\w+.*?(?=>|<|$)/si', array($this, '_decode_entity'), $str); + $str = preg_replace_callback('/<\w+.*?=.*?>\b/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! $str = remove_invisible_characters($str); -- cgit v1.2.3-24-g4f1b From 6caeaada6e4a1acc88c230e47f36ebcf8f0182ac Mon Sep 17 00:00:00 2001 From: brian978 Date: Mon, 10 Dec 2012 15:58:49 +0200 Subject: Removed boundary from regexp --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 635f9ff31..c179c46ff 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -329,7 +329,7 @@ class CI_Security { * these are the ones that will pose security problems. */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback('/<\w+.*?=.*?>\b/si', array($this, '_decode_entity'), $str); + $str = preg_replace_callback('/<\w+.*?=.*?>/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! $str = remove_invisible_characters($str); -- cgit v1.2.3-24-g4f1b From 07ccbe59cf9d78d944551f810a14064e979840a3 Mon Sep 17 00:00:00 2001 From: brian978 Date: Tue, 11 Dec 2012 20:24:12 +0200 Subject: Modified regexp to match partial tags --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index c179c46ff..70e9e973c 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -329,7 +329,7 @@ class CI_Security { * these are the ones that will pose security problems. */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback('/<\w+.*?=.*?>/si', array($this, '_decode_entity'), $str); + $str = preg_replace_callback('/<\w+.*/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! $str = remove_invisible_characters($str); @@ -529,7 +529,7 @@ class CI_Security { do { $matches = $matches1 = 0; - + $str = html_entity_decode($str, ENT_COMPAT, $charset); $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); -- cgit v1.2.3-24-g4f1b From 638a9d243065733f862761eed0fa5829409b571a Mon Sep 17 00:00:00 2001 From: brian978 Date: Tue, 18 Dec 2012 13:25:54 +0200 Subject: Replaced spaces with tabs for indentation and || with OR --- system/core/Security.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 8c70e85de..5ae8e653c 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -526,17 +526,17 @@ class CI_Security { $charset = config_item('charset'); } - do - { - $matches = $matches1 = 0; + do + { + $matches = $matches1 = 0; - $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); - $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); - } - while($matches || $matches1); + $str = html_entity_decode($str, ENT_COMPAT, $charset); + $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); + $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); + } + while($matches OR $matches1); - return $str; + return $str; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b