fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-08 19:21:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

fix #1227 SECISSUE

Browse source 
- XXE 취약점 문제 해결
- Drupal의 소스코드를 참고하여 `Security::detectingXEE()` 추가
  - 90e884ad0f
- blogapi 애드온 및 `Context::_setXmlRpcArgument()`에서 취약점 방어
- 제보 : 한국인터넷진흥원
This commit is contained in:
bnu 2015-02-04 13:49:21 +09:00
parent 14ffdbe5f0
commit a33a4b3081
3 changed files with 68 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
addons/blogapi/blogapi.addon.php
View file

@ -30,8 +30,10 @@ if($_REQUEST['act'] != 'api')
// Read func file // Read func file
require_once(_XE_PATH_ . 'addons/blogapi/blogapi.func.php'); require_once(_XE_PATH_ . 'addons/blogapi/blogapi.func.php');
$xml = $GLOBALS['HTTP_RAW_POST_DATA'];
// If HTTP_RAW_POST_DATA is NULL, Print error message // If HTTP_RAW_POST_DATA is NULL, Print error message
if(!$GLOBALS['HTTP_RAW_POST_DATA']) if(!$xml)
{ {
$content = getXmlRpcFailure(1, 'Invalid Method Call'); $content = getXmlRpcFailure(1, 'Invalid Method Call');
printContent($content); printContent($content);
@ -39,7 +41,14 @@ if(!$GLOBALS['HTTP_RAW_POST_DATA'])
// xmlprc parsing // xmlprc parsing
// Parse the requested xmlrpc // Parse the requested xmlrpc
$xml = new SimpleXMLElement($GLOBALS['HTTP_RAW_POST_DATA']); if(Security::detectingXEE($xml))
{
header("HTTP/1.0 400 Bad Request");
exit;
}
if(version_compare(PHP_VERSION, '5.2.11', '<=')) libxml_disable_entity_loader(true);
$xml = new SimpleXMLElement($xml, LIBXML_NONET | LIBXML_NOENT);
$method_name = (string)$xml->methodName; $method_name = (string)$xml->methodName;
$params = $xml->params->param; $params = $xml->params->param;

9
classes/context/Context.class.php
View file

@ -1240,8 +1240,15 @@ class Context
return; return;
} }
$xml = $GLOBALS['HTTP_RAW_POST_DATA'];
if(Security::detectingXEE($xml))
{
header("HTTP/1.0 400 Bad Request");
exit;
}
$oXml = new XmlParser(); $oXml = new XmlParser();
$xml_obj = $oXml->parse(); $xml_obj = $oXml->parse($xml);
$params = $xml_obj->methodcall->params; $params = $xml_obj->methodcall->params;
unset($params->node_name, $params->attrs, $params->body); unset($params->node_name, $params->attrs, $params->body);

49
classes/security/Security.class.php
View file

@ -175,6 +175,55 @@ class Security
return $var; return $var;
} }
/**
* @brief check XML External Entity
*
* @see from drupal. https://github.com/drupal/drupal/commit/90e884ad0f7f2cf269d953f7d70966de9fd821ff
*
* @param string $xml
* @return bool
*/
static function detectingXEE($xml)
{
if(!$xml) return FALSE;
if(strpos($xml, '<!ENTITY') !== FALSE)
{
return TRUE;
}
// Strip XML declaration.
$header = preg_replace('/<\?xml.*?\?'.'>/s', '', substr($xml, 0, 100), 1);
$xml = trim(substr_replace($xml, $header, 0, 100));
if($xml == '')
{
return TRUE;
}
// Strip DTD.
$header = preg_replace('/^<!DOCTYPE[^>]*+>/i', '', substr($xml, 0, 200), 1);
$xml = trim(substr_replace($xml, $header, 0, 200));
if($xml == '')
{
return TRUE;
}
// Confirm the XML now starts with a valid root tag. A root tag can end in [> \t\r\n]
$root_tag = substr($xml, 0, strcspn(substr($xml, 0, 20), "> \t\r\n"));
// Reject a second DTD.
if(strtoupper($root_tag) == '<!DOCTYPE')
{
return TRUE;
}
if(!in_array($root_tag, array('<methodCall', '<methodResponse', '<fault')))
{
return TRUE;
}
return FALSE;
}
} }
/* End of file : Security.class.php */ /* End of file : Security.class.php */
/* Location: ./classes/security/Security.class.php */ /* Location: ./classes/security/Security.class.php */