mirror of
https://github.com/getgrav/grav.git
synced 2026-07-10 17:42:35 +02:00
Deter XSS attacks via URI
This commit is contained in:
@@ -4,6 +4,7 @@
|
||||
1. [](#improved)
|
||||
* Updated `bin/grav clean` command to remove unnecessary vendor files (save some bytes)
|
||||
* Added a `http_status_code` Twig function to allow setting HTTP status codes from Twig directly.
|
||||
* Deter XSS attacks via URI path/uri methods (credit:newbthenewbd)
|
||||
|
||||
# v1.3.4
|
||||
## 09/29/2017
|
||||
|
||||
@@ -117,7 +117,9 @@ class Uri
|
||||
{
|
||||
$uri = isset($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
|
||||
|
||||
return rawurldecode($uri);
|
||||
$uri = Uri::cleanUrl($uri);
|
||||
|
||||
return $uri;
|
||||
}
|
||||
|
||||
private function buildScheme()
|
||||
@@ -216,7 +218,7 @@ class Uri
|
||||
$this->name = $uri_bits['host'];
|
||||
$this->port = isset($uri_bits['port']) ? $uri_bits['port'] : '80';
|
||||
|
||||
$this->uri = $uri_bits['path'];
|
||||
$this->uri = Uri::cleanUrl($uri_bits['path']);
|
||||
|
||||
// set active language
|
||||
$uri = $language->setActiveFromUri($this->uri);
|
||||
@@ -1107,4 +1109,15 @@ class Uri
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
public static function cleanUrl($url)
|
||||
{
|
||||
$regex = '/<script\b[^>]*>(.*?)<\/script>/';
|
||||
|
||||
$url = rawurldecode($url);
|
||||
$url = preg_replace($regex, '', $url);
|
||||
$url = filter_var($url, FILTER_SANITIZE_STRING);
|
||||
|
||||
return $url;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -433,5 +433,13 @@ class UriTest extends \Codeception\TestCase\Test
|
||||
$this->assertTrue(is_string($this->uri->param('nonce')));
|
||||
$this->assertSame(Utils::getNonce('test-action'), $this->uri->param('nonce'));
|
||||
}
|
||||
|
||||
public function testXSSViaUri()
|
||||
{
|
||||
$url = 'https://localhost/something/"><script>eval(atob("aGlzdG9yeS5wdXNoU3RhdGUoJycsJycsJy8nKTskKCdoZWFkLGJvZHknKS5odG1sKCcnKS5sb2FkKCcvJyk7JC5wb3N0KCcvYWRtaW4nLGZ1bmN0aW9uKGRhdGEpeyQucG9zdCgkKGRhdGEpLmZpbmQoJ1tpZD1hZG1pbi11c2VyLWRldGFpbHNdIGEnKS5hdHRyKCdocmVmJykseydhZG1pbi1ub25jZSc6JChkYXRhKS5maW5kKCdbZGF0YS1jbGVhci1jYWNoZV0nKS5hdHRyKCdkYXRhLWNsZWFyLWNhY2hlJykuc3BsaXQoJzonKS5wb3AoKS50cmltKCksJ2RhdGFbcGFzc3dvcmRdJzonSW0zdjFsaDR4eDByJywndGFzayc6J3NhdmUnfSl9KQ=="))</script><';
|
||||
|
||||
$this->uri->initializeWithURL($url)->init();
|
||||
$this->assertSame('/something/&', $this->uri->path());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user