flash allowscriptaccess defense

git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.0@10046 201d5d3c-b55e-5fd7-737f-ddc643e51545
2026-04-27 06:13:32 +09:00 · 2012-01-28 05:45:51 +00:00 · 2012-01-28 05:45:51 +00:00 · c69d33e3c2
commit c69d33e3c2
parent bfeb1ac70e
2 changed files with 41 additions and 3 deletions
--- a/modules/document/document.item.php
+++ b/modules/document/document.item.php
@ -259,12 +259,50 @@
 			if($result) $_SESSION['accessible'][$this->document_srl] = true;

            $content = $this->get('content');
+			$content = preg_replace_callback('@[\w\W]*(<[\s]*object[^>]*>)+[\w\W]*(<[\s]*/[\s]*object[\s]*>)+[\w\W]*@ixs', array($this, '_checkAllowScriptAccess'), $content);

            if($strlen) return cut_str(strip_tags($content),$strlen,'...');

            return htmlspecialchars($content);
        }

+		function _checkAllowScriptAccess($m)
+		{
+			//first, object element check.
+			preg_match('/[\w\W]*(name[\s]*=[\s]*(?:\'|")[\s]*allowscriptaccess[\s]*(?:\'|"))+[\s]+(value[\s]*=[\s]*(?:\'|")[\s]*(?:always|samedomain)[\s]*(?:\'|"))*[\w\W]*/ixs', $m[0], $m2);
+
+			if($m2[2])
+			{
+				$m[0] = preg_replace('/'.$m2[2].'/i', 'value="never"', $m[0]);
+			}
+			else
+			{
+				$m[0] = preg_replace('/<object[^>]*>/i', '$0<param name="allowscriptaccess" value="never" />', $m[0]);
+			}
+
+			//second, embed's property check.
+			preg_match('/[\w\W]*(allowscriptaccess[\s]*=[\s]*(?:\'|")[\s]*(?:always|samedomain)[\s]*(?:\'|"))+[\w\W]*/ixs', $m[0], $m3);
+			if($m3[1])
+			{
+				$m[0] = preg_replace('/'.$m3[1].'/i', 'allowscriptaccess="never"', $m[0]);
+			}
+			else
+			{
+				$m[0] = preg_replace('/<embed[\s>]*/i', '$0 allowscriptaccess="never" ', $m[0]);
+			}
+
+			return $m[0];
+		}
+
+		/*function _checkAllowScriptAccess2($m)
+		{
+			if($m[1])
+			{
+				$m[0] = preg_replace('/'.$m[1].'/i', 'value="never"', $m[0]);
+			}
+			return $m[0];
+		}*/
+
        function getContent($add_popup_menu = true, $add_content_info = true, $resource_realpath = false, $add_xe_content_class = true, $stripEmbedTagException = false) {
            if(!$this->document_srl) return;

--- a/modules/document/document.model.php
+++ b/modules/document/document.model.php
@ -153,7 +153,7 @@
         **/
        function getDocumentList($obj, $except_notice = false, $load_extra_vars=true, $columnList = array()) {
            $sort_check = $this->_setSortIndex($obj, $load_extra_vars);
-            $obj->sort_index = $sort_check->sort_index; 
+            $obj->sort_index = $sort_check->sort_index;
        	// cache controll
 			$oCacheHandler = &CacheHandler::getInstance('object');
 			if($oCacheHandler->isSupport()){
@ -909,8 +909,8 @@
            $output = executeQuery('document.getDocumentSrlByTitle', $args);
            if(!$output->data) return null;
            else return $output->data->document_srl;
-        }		
-		
+        }
+
 		function getAlias($document_srl){
 			if(!$document_srl) return null;
 			$args->document_srl = $document_srl;