From c1eab055bcab640cfa75b7955e0db6dd08aa591f Mon Sep 17 00:00:00 2001
From: bnu <bnufactory@gmail.com>
Date: Tue, 8 Dec 2015 15:11:55 +0900
Subject: [PATCH 1/2] =?UTF-8?q?fix=20#1813=20=EB=A0=88=EC=9D=B4=EC=95=84?=
 =?UTF-8?q?=EC=9B=83=20=EB=AF=B8=EB=A6=AC=EB=B3=B4=EA=B8=B0=20=EB=8F=99?=
 =?UTF-8?q?=EC=9E=91=EC=97=90=20CSRF/XSS=20=EB=B0=A9=EC=96=B4=20=EB=B0=8F?=
 =?UTF-8?q?=20embed=20URL=EC=97=90=20'act'=20parameter=20=EC=82=AC?=
 =?UTF-8?q?=EC=9A=A9=20=EC=A0=9C=ED=95=9C=20-=20`layoutView::dispLayoutPre?=
 =?UTF-8?q?view()`=EC=97=90=20XSS/CSRF=20=EB=B0=A9=EC=96=B4=20-=20src,=20h?=
 =?UTF-8?q?ref,=20style=20=EB=93=B1=20HTML=20attribute=EC=97=90=20'act'?=
 =?UTF-8?q?=EB=A5=BC=20=ED=8F=AC=ED=95=A8=ED=95=98=EB=8A=94=20URL=EC=9D=84?=
 =?UTF-8?q?=20=EC=82=AC=EC=9A=A9=ED=95=A0=20=EC=88=98=20=EC=97=86=EB=8F=84?=
 =?UTF-8?q?=EB=A1=9D=20=EC=A0=9C=ED=95=9C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config/func.inc.php              | 18 +++++++++++
 modules/layout/layout.view.php   |  6 ++++
 tests/unit/FuncIncTest.class.php | 53 --------------------------------
 tests/unit/FuncIncTest.php       | 19 +++++++++++-
 4 files changed, 42 insertions(+), 54 deletions(-)
 delete mode 100644 tests/unit/FuncIncTest.class.php

diff --git a/config/func.inc.php b/config/func.inc.php
index 06434d2c5..2477458f5 100644
--- a/config/func.inc.php
+++ b/config/func.inc.php
@@ -1212,6 +1212,24 @@ function removeSrcHack($match)
 		}
 	}
 
+	$filter_arrts = array('style', 'src', 'href');
+
+	if($tag === 'object') array_push($filter_arrts, 'data');
+	if($tag === 'param') array_push($filter_arrts, 'value');
+
+	foreach($filter_arrts as $attr)
+	{
+		if(!isset($attrs[$attr])) continue;
+
+		$attr_value = rawurldecode($attrs[$attr]);
+		$attr_value = htmlspecialchars_decode($attr_value, ENT_COMPAT);
+		$attr_value = preg_replace('/\s+|[\t\n\r]+/', '', $attr_value);
+		if(preg_match('@(\?|&|;)(act=)@i', $attr_value))
+		{
+			unset($attrs[$attr]);
+		}
+	}
+
 	if(isset($attrs['style']) && preg_match('@(?:/\*|\*/|\n|:\s*expression\s*\()@i', $attrs['style']))
 	{
 		unset($attrs['style']);
diff --git a/modules/layout/layout.view.php b/modules/layout/layout.view.php
index 178f37a65..50b134560 100644
--- a/modules/layout/layout.view.php
+++ b/modules/layout/layout.view.php
@@ -316,6 +316,12 @@ class layoutView extends layout
 	 */
 	function dispLayoutPreview()
 	{
+		if(!checkCSRF())
+		{
+			$this->stop('msg_invalid_request');
+			return new Object(-1, 'msg_invalid_request');
+		}
+
 		// admin check
 		// this act is admin view but in normal view because do not load admin css/js files
 		$logged_info = Context::get('logged_info');
diff --git a/tests/unit/FuncIncTest.class.php b/tests/unit/FuncIncTest.class.php
deleted file mode 100644
index 265e6b072..000000000
--- a/tests/unit/FuncIncTest.class.php
+++ /dev/null
@@ -1,53 +0,0 @@
-<?php
-class FuncIncTest extends \Codeception\TestCase\Test
-{
-    static public function provider()
-    {
-        return array(
-            // remove iframe
-            array(
-                '<div class="frame"><iframe src="path/to/file.html"></iframe><p><a href="#iframe">IFrame</a></p></div>',
-                '<div class="frame">&lt;iframe src="path/to/file.html">&lt;/iframe><p><a href="#iframe">IFrame</a></p></div>'
-            ),
-            // expression
-            array(
-                '<div class="dummy" style="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
-                '<div class="dummy">'
-            ),
-            // no quotes and no semicolon - http://ha.ckers.org/xss.html
-            array(
-                '<img src=javascript:alert(\'xss\')>',
-                '<img>'
-            ),
-            // embedded encoded tab to break up XSS - http://ha.ckers.org/xss.html
-            array(
-                '<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">',
-                '<img>'
-            ),
-            // issue 178
-            array(
-                "<img src=\"invalid\"\nonerror=\"alert(1)\" />",
-                '<img src="invalid" />'
-            ),
-            // issue 534
-            array(
-                '<img src=\'as"df dummy=\'"1234\'" 4321\' asdf/*/>*/"  onerror="console.log(\'Yet another XSS\')">',
-                '<img src="as&quot;df dummy=" />*/"  onerror="console.log(\'Yet another XSS\')">'
-            ),
-            // issue 602
-            array(
-                '<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif" onload="eval(String.fromCharCode(105,61,49,48,48,59,119,104,105,108,101, 40,105,62,48,41,97,108,101,114,116,40,40,105,45,45,41,43,39,48264,47564,32, 45908,32,53364,47533,54616,49464,50836,39,41,59));">',
-                '<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif">'
-            )
-        );
-    }
-
-    /**
-     * @dataProvider provider
-     */
-    public function testXss($source, $expected)
-    {
-        $result = removeHackTag($source);
-        $this->assertEquals($result, $expected);
-    }
-}
diff --git a/tests/unit/FuncIncTest.php b/tests/unit/FuncIncTest.php
index bb7e86fa7..de22cbd30 100644
--- a/tests/unit/FuncIncTest.php
+++ b/tests/unit/FuncIncTest.php
@@ -29,7 +29,7 @@ class FuncIncTest extends \Codeception\TestCase\Test
             ),
             // issue 178
             array(
-                "<img src=\"invalid.jpg\"\nonerror=\"alert(1)\" />",
+                '<img src="invalid.jpg"\nonerror="alert(1)" />',
                 '<img src="invalid.jpg" alt="invalid.jpg" />'
             ),
             // issue 534
@@ -41,6 +41,23 @@ class FuncIncTest extends \Codeception\TestCase\Test
             array(
                 '<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif" onload="eval(String.fromCharCode(105,61,49,48,48,59,119,104,105,108,101, 40,105,62,48,41,97,108,101,114,116,40,40,105,45,45,41,43,39,48264,47564,32, 45908,32,53364,47533,54616,49464,50836,39,41,59));">',
                 ''
+            ),
+            // issue #1813 https://github.com/xpressengine/xe-core/issues/1813
+            array(
+                '<img src="?act=dispLayoutPreview" alt="dummy" />',
+                '<img alt="dummy" />'
+            ),
+            array(
+                '<img src="?act =dispLayoutPreview" alt="dummy" />',
+                '<img alt="dummy" />'
+            ),
+            array(
+                "<img src=\"?act\n=dispLayoutPreview\" alt=\"dummy\" />",
+                '<img alt="dummy" />'
+            ),
+            array(
+                "<img src=\"?pam=act&a\nct  =\r\n\tdispLayoutPreview\" alt=\"dummy\" />",
+                '<img alt="dummy" />'
             )
         );
     }

From 77da93a6eff2aae4f47264ecdabea25afe6944df Mon Sep 17 00:00:00 2001
From: bnu <bnufactory@gmail.com>
Date: Tue, 8 Dec 2015 17:24:56 +0900
Subject: [PATCH 2/2] version 1.8.15

---
 config/config.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/config.inc.php b/config/config.inc.php
index 189964f13..775cd5b26 100644
--- a/config/config.inc.php
+++ b/config/config.inc.php
@@ -29,7 +29,7 @@ define('__ZBXE__', __XE__);
 /**
  * Display XE's full version.
  */
-define('__XE_VERSION__', '1.8.14');
+define('__XE_VERSION__', '1.8.15');
 define('__XE_VERSION_ALPHA__', (stripos(__XE_VERSION__, 'alpha') !== false));
 define('__XE_VERSION_BETA__', (stripos(__XE_VERSION__, 'beta') !== false));
 define('__XE_VERSION_RC__', (stripos(__XE_VERSION__, 'rc') !== false));