From 77ccce60089655673a61c67374c14e0c7748c3a5 Mon Sep 17 00:00:00 2001 From: ngleader Date: Thu, 16 Dec 2010 01:50:39 +0000 Subject: [PATCH] =?UTF-8?q?#19334739=20xss/csrf/xmp=20tag=20=EC=B7=A8?= =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EB=B3=B4=EC=95=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit git-svn-id: http://xe-core.googlecode.com/svn/sandbox@7977 201d5d3c-b55e-5fd7-737f-ddc643e51545 --- config/func.inc.php | 41 +++++++++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 10 deletions(-) diff --git a/config/func.inc.php b/config/func.inc.php index 1c0f86e64..5b56ad051 100644 --- a/config/func.inc.php +++ b/config/func.inc.php @@ -628,14 +628,32 @@ * 이미지나 동영상등의 태그에서 src에 관리자 세션을 악용하는 코드를 제거 * - 취약점 제보 : 김상원님 **/ - $content = preg_replace_callback("!<([a-z]+)(.*?)>!is", removeSrcHack, $content); + $content = preg_replace_callback("!<(/?)([a-z]+)(.*?)>!is", removeSrcHack, $content); + + // xmp tag 확인 및 추가 + $content = checkXmpTag($content); return $content; } + /** + * @brief xmp tag 확인 및 닫히지 않은 경우 추가 + **/ + function checkXmpTag($content) { + if(($start_xmp = strrpos($content, '')) !==false) { + if(($close_xmp = strrpos($content, '')) === false) $content .= ''; + else if($close_xmp < $start_xmp) $content .= ''; + } + + return $content; + } function removeSrcHack($matches) { - $tag = strtolower(trim($matches[1])); + $tag = strtolower(trim($matches[2])); + + // xmp tag 정리 + if($tag=='xmp') return '<'.$matches[1].'xmp>'; + if($matches[1]=='/') return $matches[0]; //$buff = trim(preg_replace('/(\/>|>)/','/>',$matches[0])); $buff = $matches[0]; @@ -647,13 +665,13 @@ if(!$xml_doc) return sprintf("<%s>", $tag); // src값에 module=admin이라는 값이 입력되어 있으면 이 값을 무효화 시킴 - $src = $xml_doc->{$tag}->attrs->src; - $dynsrc = $xml_doc->{$tag}->attrs->dynsrc; - $lowsrc = $xml_doc->{$tag}->attrs->lowsrc; - $href = $xml_doc->{$tag}->attrs->href; - $data = $xml_doc->{$tag}->attrs->data; - $background = $xml_doc->{$tag}->attrs->background; - $style = $xml_doc->{$tag}->attrs->style; + $src = $xml_doc->attrs->src; + $dynsrc = $xml_doc->attrs->dynsrc; + $lowsrc = $xml_doc->attrs->lowsrc; + $href = $xml_doc->attrs->href; + $data = $xml_doc->attrs->data; + $background = $xml_doc->attrs->background; + $style = $xml_doc->attrs->style; if($style) { $url = preg_match_all('/url\s*\(([^\)]+)\)/is', $style, $matches2); if(count($matches2[0])) @@ -666,6 +684,9 @@ } if(_isHackedSrc($src) || _isHackedSrc($dynsrc) || _isHackedSrc($lowsrc) || _isHackedSrc($href) || _isHackedSrc($data) || _isHackedSrc($background) || _isHackedSrcExp($style)) return sprintf("<%s>",$tag); + if($tag=='param' && $xml_doc->attrs->value && preg_match('/^javascript:/i',$xml_doc->attrs->value)) return sprintf("<%s>",$tag); + if($tag=='object' && $xml_doc->attrs->data && preg_match('/^javascript:/i',$xml_doc->attrs->data)) return sprintf("<%s>",$tag); + return $buff; } @@ -722,7 +743,7 @@ // attribute on* remove if(preg_match('/^on(click|load|unload|blur|dbclick|focus|resize|keypress|keyup|keydown|mouseover|mouseout|mouseup|select|change|error)/',preg_replace('/[^a-zA-Z_]/','',$key))) return ''; - + $output = sprintf('%s=%s', $key, $val); return $output;