Fix several vulnerabilities (#13927)
* Escape HTML in the location field of a calendar event post - This allowed script tags to be interpreted in the post display of an event. * Add form security token check to /admin/phpinfo module - This prevents basic XSS attacks against /admin/phpinfo * Add form security token check to /babel module - This prevents basic XSS attacks against /babel * Prevent pass-through for attachments - This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload * Prevent overwriting cid on event edit - This allowed to share an event as any other user after zeroing the cid field of an existing event
This commit is contained in:
Hypolite Petovan
GitHub
parent
fc3898fe64
commit
5c5d7eb04f
|
|
@ -925,9 +925,6 @@ class Event
|
||||||
$end_short = '';
|
$end_short = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
// Format the event location.
|
|
||||||
$location = self::locationToArray($item['event-location']);
|
|
||||||
|
|
||||||
// Construct the profile link (magic-auth).
|
// Construct the profile link (magic-auth).
|
||||||
$author = [
|
$author = [
|
||||||
'uid' => 0,
|
'uid' => 0,
|
||||||
|
|
@ -964,7 +961,7 @@ class Event
|
||||||
'$show_map_label' => DI::l10n()->t('Show map'),
|
'$show_map_label' => DI::l10n()->t('Show map'),
|
||||||
'$hide_map_label' => DI::l10n()->t('Hide map'),
|
'$hide_map_label' => DI::l10n()->t('Hide map'),
|
||||||
'$map_btn_label' => DI::l10n()->t('Show map'),
|
'$map_btn_label' => DI::l10n()->t('Show map'),
|
||||||
'$location' => $location
|
'$location' => self::locationToTemplateVars($item['event-location']),
|
||||||
]);
|
]);
|
||||||
|
|
||||||
return $return;
|
return $return;
|
||||||
|
|
@ -984,7 +981,7 @@ class Event
|
||||||
* 'coordinates' => Latitude and longitude (e.g. '48.864716,2.349014').<br>
|
* 'coordinates' => Latitude and longitude (e.g. '48.864716,2.349014').<br>
|
||||||
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
|
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
|
||||||
*/
|
*/
|
||||||
private static function locationToArray(string $s = ''): array
|
private static function locationToTemplateVars(string $s = ''): array
|
||||||
{
|
{
|
||||||
if ($s == '') {
|
if ($s == '') {
|
||||||
return [];
|
return [];
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,8 @@ class PhpInfo extends BaseAdmin
|
||||||
{
|
{
|
||||||
self::checkAdminAccess();
|
self::checkAdminAccess();
|
||||||
|
|
||||||
|
self::checkFormSecurityTokenForbiddenOnError('phpinfo', 't');
|
||||||
|
|
||||||
phpinfo();
|
phpinfo();
|
||||||
System::exit();
|
System::exit();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -65,11 +65,7 @@ class Attach extends BaseModule
|
||||||
// error in Chrome for filenames with commas in them
|
// error in Chrome for filenames with commas in them
|
||||||
header('Content-type: ' . $item['filetype']);
|
header('Content-type: ' . $item['filetype']);
|
||||||
header('Content-length: ' . $item['filesize']);
|
header('Content-length: ' . $item['filesize']);
|
||||||
if (isset($_GET['attachment']) && $_GET['attachment'] === '0') {
|
header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
|
||||||
header('Content-disposition: filename="' . $item['filename'] . '"');
|
|
||||||
} else {
|
|
||||||
header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
|
|
||||||
}
|
|
||||||
|
|
||||||
echo $data;
|
echo $data;
|
||||||
System::exit();
|
System::exit();
|
||||||
|
|
|
||||||
|
|
@ -104,7 +104,7 @@ abstract class BaseAdmin extends BaseModule
|
||||||
'logsview' => ['admin/logs/view' , DI::l10n()->t('View Logs') , 'viewlogs'],
|
'logsview' => ['admin/logs/view' , DI::l10n()->t('View Logs') , 'viewlogs'],
|
||||||
]],
|
]],
|
||||||
'diagnostics' => [DI::l10n()->t('Diagnostics'), [
|
'diagnostics' => [DI::l10n()->t('Diagnostics'), [
|
||||||
'phpinfo' => ['admin/phpinfo' , DI::l10n()->t('PHP Info') , 'phpinfo'],
|
'phpinfo' => ['admin/phpinfo?t=' . self::getFormSecurityToken('phpinfo'), DI::l10n()->t('PHP Info') , 'phpinfo'],
|
||||||
'probe' => ['probe' , DI::l10n()->t('probe address') , 'probe'],
|
'probe' => ['probe' , DI::l10n()->t('probe address') , 'probe'],
|
||||||
'webfinger' => ['webfinger' , DI::l10n()->t('check webfinger') , 'webfinger'],
|
'webfinger' => ['webfinger' , DI::l10n()->t('check webfinger') , 'webfinger'],
|
||||||
'babel' => ['babel' , DI::l10n()->t('Babel') , 'babel'],
|
'babel' => ['babel' , DI::l10n()->t('Babel') , 'babel'],
|
||||||
|
|
|
||||||
|
|
@ -142,7 +142,8 @@ class API extends BaseModule
|
||||||
{
|
{
|
||||||
$eventId = !empty($request['event_id']) ? intval($request['event_id']) : 0;
|
$eventId = !empty($request['event_id']) ? intval($request['event_id']) : 0;
|
||||||
$uid = (int)$this->session->getLocalUserId();
|
$uid = (int)$this->session->getLocalUserId();
|
||||||
$cid = !empty($request['cid']) ? intval($request['cid']) : 0;
|
// No overwriting event.cid on edit
|
||||||
|
$cid = !empty($request['cid']) && !$eventId ? intval($request['cid']) : 0;
|
||||||
|
|
||||||
$strStartDateTime = Strings::escapeHtml($request['start_text'] ?? '');
|
$strStartDateTime = Strings::escapeHtml($request['start_text'] ?? '');
|
||||||
$strFinishDateTime = Strings::escapeHtml($request['finish_text'] ?? '');
|
$strFinishDateTime = Strings::escapeHtml($request['finish_text'] ?? '');
|
||||||
|
|
|
||||||
|
|
@ -43,10 +43,11 @@ class Babel extends BaseModule
|
||||||
}
|
}
|
||||||
|
|
||||||
$results = [];
|
$results = [];
|
||||||
if (!empty($_REQUEST['text'])) {
|
if (!empty($request['text'])) {
|
||||||
switch (($_REQUEST['type'] ?? '') ?: 'bbcode') {
|
self::checkFormSecurityTokenForbiddenOnError('babel');
|
||||||
|
switch (($request['type'] ?? '') ?: 'bbcode') {
|
||||||
case 'bbcode':
|
case 'bbcode':
|
||||||
$bbcode = $_REQUEST['text'];
|
$bbcode = $request['text'];
|
||||||
$results[] = [
|
$results[] = [
|
||||||
'title' => DI::l10n()->t('Source input'),
|
'title' => DI::l10n()->t('Source input'),
|
||||||
'content' => visible_whitespace($bbcode)
|
'content' => visible_whitespace($bbcode)
|
||||||
|
|
@ -136,7 +137,7 @@ class Babel extends BaseModule
|
||||||
];
|
];
|
||||||
break;
|
break;
|
||||||
case 'diaspora':
|
case 'diaspora':
|
||||||
$diaspora = trim($_REQUEST['text']);
|
$diaspora = trim($request['text']);
|
||||||
$results[] = [
|
$results[] = [
|
||||||
'title' => DI::l10n()->t('Source input (Diaspora format)'),
|
'title' => DI::l10n()->t('Source input (Diaspora format)'),
|
||||||
'content' => visible_whitespace($diaspora),
|
'content' => visible_whitespace($diaspora),
|
||||||
|
|
@ -144,7 +145,7 @@ class Babel extends BaseModule
|
||||||
|
|
||||||
$markdown = XML::unescape($diaspora);
|
$markdown = XML::unescape($diaspora);
|
||||||
case 'markdown':
|
case 'markdown':
|
||||||
$markdown = $markdown ?? trim($_REQUEST['text']);
|
$markdown = $markdown ?? trim($request['text']);
|
||||||
|
|
||||||
$results[] = [
|
$results[] = [
|
||||||
'title' => DI::l10n()->t('Source input (Markdown)'),
|
'title' => DI::l10n()->t('Source input (Markdown)'),
|
||||||
|
|
@ -169,7 +170,7 @@ class Babel extends BaseModule
|
||||||
];
|
];
|
||||||
break;
|
break;
|
||||||
case 'html' :
|
case 'html' :
|
||||||
$html = trim($_REQUEST['text']);
|
$html = trim($request['text']);
|
||||||
$results[] = [
|
$results[] = [
|
||||||
'title' => DI::l10n()->t('Raw HTML input'),
|
'title' => DI::l10n()->t('Raw HTML input'),
|
||||||
'content' => visible_whitespace($html),
|
'content' => visible_whitespace($html),
|
||||||
|
|
@ -239,7 +240,7 @@ class Babel extends BaseModule
|
||||||
];
|
];
|
||||||
break;
|
break;
|
||||||
case 'twitter':
|
case 'twitter':
|
||||||
$json = trim($_REQUEST['text']);
|
$json = trim($request['text']);
|
||||||
|
|
||||||
if (file_exists('addon/twitter/twitter.php')) {
|
if (file_exists('addon/twitter/twitter.php')) {
|
||||||
require_once 'addon/twitter/twitter.php';
|
require_once 'addon/twitter/twitter.php';
|
||||||
|
|
@ -302,13 +303,14 @@ class Babel extends BaseModule
|
||||||
$tpl = Renderer::getMarkupTemplate('babel.tpl');
|
$tpl = Renderer::getMarkupTemplate('babel.tpl');
|
||||||
$o = Renderer::replaceMacros($tpl, [
|
$o = Renderer::replaceMacros($tpl, [
|
||||||
'$title' => DI::l10n()->t('Babel Diagnostic'),
|
'$title' => DI::l10n()->t('Babel Diagnostic'),
|
||||||
'$text' => ['text', DI::l10n()->t('Source text'), $_REQUEST['text'] ?? '', ''],
|
'$form_security_token' => self::getFormSecurityToken('babel'),
|
||||||
'$type_bbcode' => ['type', DI::l10n()->t('BBCode'), 'bbcode', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'bbcode'],
|
'$text' => ['text', DI::l10n()->t('Source text'), $request['text'] ?? '', ''],
|
||||||
'$type_diaspora' => ['type', DI::l10n()->t('Diaspora'), 'diaspora', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'diaspora'],
|
'$type_bbcode' => ['type', DI::l10n()->t('BBCode'), 'bbcode', '', (($request['type'] ?? '') ?: 'bbcode') == 'bbcode'],
|
||||||
'$type_markdown' => ['type', DI::l10n()->t('Markdown'), 'markdown', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'markdown'],
|
'$type_diaspora' => ['type', DI::l10n()->t('Diaspora'), 'diaspora', '', (($request['type'] ?? '') ?: 'bbcode') == 'diaspora'],
|
||||||
'$type_html' => ['type', DI::l10n()->t('HTML'), 'html', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'html'],
|
'$type_markdown' => ['type', DI::l10n()->t('Markdown'), 'markdown', '', (($request['type'] ?? '') ?: 'bbcode') == 'markdown'],
|
||||||
|
'$type_html' => ['type', DI::l10n()->t('HTML'), 'html', '', (($request['type'] ?? '') ?: 'bbcode') == 'html'],
|
||||||
'$flag_twitter' => file_exists('addon/twitter/twitter.php'),
|
'$flag_twitter' => file_exists('addon/twitter/twitter.php'),
|
||||||
'$type_twitter' => ['type', DI::l10n()->t('Twitter Source / Tweet URL (requires API key)'), 'twitter', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'twitter'],
|
'$type_twitter' => ['type', DI::l10n()->t('Twitter Source / Tweet URL (requires API key)'), 'twitter', '', (($request['type'] ?? '') ?: 'bbcode') == 'twitter'],
|
||||||
'$results' => $results,
|
'$results' => $results,
|
||||||
'$submit' => DI::l10n()->t('Submit'),
|
'$submit' => DI::l10n()->t('Submit'),
|
||||||
]);
|
]);
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
<div id="babel" class="generic-page-wrapper">
|
<div id="babel" class="generic-page-wrapper">
|
||||||
<h2>{{$title}}</h2>
|
<h2>{{$title}}</h2>
|
||||||
<form action="babel" method="post" class="panel panel-default">
|
<form action="babel" method="post" class="panel panel-default">
|
||||||
|
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
|
||||||
<div class="panel-body">
|
<div class="panel-body">
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
{{include file="field_textarea.tpl" field=$text}}
|
{{include file="field_textarea.tpl" field=$text}}
|
||||||
|
|
@ -30,4 +31,4 @@
|
||||||
{{/foreach}}
|
{{/foreach}}
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
{{/if}}
|
{{/if}}
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
</span>
|
</span>
|
||||||
{{if $location.name}}
|
{{if $location.name}}
|
||||||
<span role="presentation" aria-hidden="true"> · </span>
|
<span role="presentation" aria-hidden="true"> · </span>
|
||||||
<span class="event-location event-card-location">{{$location.name nofilter}}</span>
|
<span class="event-location event-card-location">{{$location.name}}</span>
|
||||||
{{/if}}
|
{{/if}}
|
||||||
</div>
|
</div>
|
||||||
<div class="event-card-profile-name profile-entry-name">
|
<div class="event-card-profile-name profile-entry-name">
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user