Changeset 981
- Timestamp:
- 12/21/06 21:57:21 (2 years ago)
- Files:
-
- branches/mt3.34/lib/MT/App/Comments.pm (modified) (5 diffs)
- branches/mt3.34/lib/MT/App/Trackback.pm (modified) (3 diffs)
- branches/mt3.34/lib/MT/Sanitize.pm (modified) (4 diffs)
- branches/mt3.34/php/lib/sanitize_lib.php (modified) (1 diff)
- branches/mt3.34/t/11-sanitize.t (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
branches/mt3.34/lib/MT/App/Comments.pm
r978 r981 170 170 $ipban->ip($user_ip); 171 171 $ipban->save(); 172 $ipban->commit();173 172 $app->log({ 174 173 message => $app->translate("IP [_1] banned because comment rate exceeded 8 comments in [_2] seconds.", $user_ip, 10 * $throttle_period ), … … 528 527 #$comment->visible(0); # leave as undefined 529 528 $comment->is_junk(0); 529 530 # strip of any null characters (done after junk checks so they can 531 # monitor for that kind of activity) 532 for my $field (qw(author email url text)) { 533 my $val = $comment->column($field); 534 if ($val =~ m/\x00/) { 535 $val =~ tr/\x00//d; 536 $comment->column($field, $val); 537 } 538 } 530 539 531 540 return ($comment, $commenter); … … 1136 1145 are documented here. 1137 1146 1147 =head1 METHODS 1148 1149 =head2 $app->init 1150 1151 Initializes the application and defines the serviceable modes. 1152 1153 =head2 $app->init_request 1154 1155 Initializes the application to service the request. 1156 1157 =head2 $app->do_preview($cgi[, $err]) 1158 1159 Handles the comment preview request and displays the preview using 1160 the Comment Preview blog template. If C<$err> is specified, the 1161 error message is relayed to the user using the Comment Error blog 1162 template. 1163 1164 =head2 $app->blog 1165 1166 Returns the L<MT::Blog> object related to the entry being commented on. 1167 1168 =head2 $app->eval_comment 1169 1170 Evaluates the comment being posted in a variety of ways and an L<MT::Comment> 1171 object is returned. If the comment request is rejected due to throttling, 1172 no object is returned and the Comment Pending blog template is displayed. 1173 1174 =head2 $app->handle_error 1175 1176 Returns an error message to the user using the Comment Error blog template. 1177 1178 =head1 APPLICATION MODES 1179 1180 =head2 $app->commenter_name_js 1181 1182 Returns some JavaScript code that sets the 'commenter_name' variable 1183 based on the 'tk_commenter' cookie that is accessible to the comments 1184 CGI script. 1185 1186 =head2 $app->do_red 1187 1188 Handles a commenter URL redirect, where the comment_id points to a 1189 L<MT::Comment> object with a URL. The response redirects the user to 1190 that URL. The comment must be approved and published. 1191 1192 Note: This behavior has been deprecated in favor of using the 'nofollow' 1193 plugin. 1194 1195 =head2 $app->handle_sign_in 1196 1197 Handles the sign-in process for a TypeKey-compatible sign-in request. 1198 1199 =head2 $app->post 1200 1201 Mode that handles posting of a new comment. 1202 1203 =head2 $app->preview 1204 1205 Mode for previewing a comment before posting. 1206 1207 =head2 $app->view 1208 1209 Mode for displaying a dynamic view of comments for a particular entry. 1210 1138 1211 =head1 CALLBACKS 1139 1212 … … 1148 1221 signature: 1149 1222 1150 sub comment_throttle_filter($ eh, $app, $entry)1223 sub comment_throttle_filter($cb, $app, $entry) 1151 1224 { 1152 1225 ... … … 1170 1243 be saved. The callback has the following signature: 1171 1244 1172 sub comment_filter($ eh, $app, $comment)1245 sub comment_filter($cb, $app, $comment) 1173 1246 { 1174 1247 ... 1175 1248 } 1176 1249 1250 =head1 SPAM PROTECTION 1251 1252 Spam filtering (or "Junk" filtering in MT terminology) is handled using 1253 the L<MT::JunkFilter> package and plugins that implement them. Please 1254 refer to that module for further documentation. 1255 1256 =head1 AUTHOR & COPYRIGHT 1257 1258 Please see the I<MT> manpage for author, copyright, and license information. 1259 1177 1260 =back branches/mt3.34/lib/MT/App/Trackback.pm
r600 r981 276 276 $ping->title(defined $title && $title ne '' ? $title : $url); 277 277 $ping->blog_name($blog_name); 278 279 # strip of any null characters (done after junk checks so they can 280 # monitor for that kind of activity) 281 for my $field (qw(title excerpt url blog_name)) { 282 my $val = $ping->column($field); 283 if ($val =~ m/\x00/) { 284 $val =~ tr/\x00//d; 285 $ping->column($field, $val); 286 } 287 } 288 278 289 if (!MT->run_callbacks('TBPingFilter', $app, $ping)) { 279 290 return $app->_response(Error => "", Code => 403); … … 386 397 } 387 398 my %head = ( To => $author->email, 388 From => $app->config('EmailAddressMain') || $author->email, 399 From => $app->config('EmailAddressMain') || $author->emai 400 l, 389 401 Subject => '[' . $blog->name . '] ' . $subj ); 390 402 my $base; … … 476 488 477 489 1; 490 __END__ 491 492 =head1 NAME 493 494 MT::App::Trackback 495 496 =head1 METHODS 497 498 =head2 init 499 500 Call L<MT::App/init>, register the C<ping>, C<view> and C<rss> 501 callbacks and set the application default_mode to C<ping>. 502 503 =head2 view 504 505 Build the trackback page for viewing. 506 507 =head2 rss 508 509 Generate and return RSS text for the trackback. 510 511 =head2 blog 512 513 Return the blog of the trackback. 514 515 =head2 no_utf8 516 517 This function removes UTF-8 from scalars. 518 519 =head1 AUTHOR & COPYRIGHT 520 521 Please see L<MT/AUTHOR & COPYRIGHT>. 522 523 =cut branches/mt3.34/lib/MT/Sanitize.pm
r691 r981 47 47 my $class = shift; 48 48 my($s, $arg) = @_; 49 $s = '' unless defined $s; 50 $s =~ tr/\x00//d; 49 51 $arg = '1' unless defined $arg; 50 52 return $s if $arg eq '0'; … … 101 103 if ($inside) { 102 104 my @attrs; 103 while ($inside =~ m/([:\w]+)\s*=\s*(['"])(.*?)\2/gs) { #"'105 while ($inside =~ m/([:\w]+)\s*=\s*(['"])(.*?)\2/gs) { 104 106 my ($attr, $q, $val) = (lc($1), $2, $3); 105 107 if ($ok_tags->{'*'}{$attr} || … … 155 157 } 156 158 if (defined $last_pos && ($last_pos < length($s))) { 157 $out .= substr($s, $last_pos); 158 } 159 for my $tag (@open_tags) { 160 $out .= '</' . $tag . '>'; 159 if (substr($s, $last_pos) !~ m/</) { 160 $out .= substr($s, $last_pos); 161 } 162 } 163 if (@open_tags) { 164 $out .= _expel_up_to(\@open_tags, \%open_tags, ''); 161 165 } 162 166 $out; … … 194 198 ## $str is now <a href="foo.html">foolink</a> 195 199 200 =head1 METHODS 201 202 =head2 parse_spec($tags) 203 204 Return a hash reference of allowed tags and their attributes. 205 206 =head2 sanitize($text, [0|1|\%args]) 207 208 "Sanitize" the I<text> with the rules defined in I<args> (or by the 209 C<parse_spec> method if rules are not provided). 210 211 =head1 AUTHOR & COPYRIGHT 212 213 Please see L<MT/AUTHOR & COPYRIGHT>. 214 196 215 =cut 216 217 =cut branches/mt3.34/php/lib/sanitize_lib.php
r695 r981 6 6 $ok_tags = $arg['ok']; 7 7 $tag_attr = $arg['tag_attr']; 8 8 $s = preg_replace('/\x00/', '', $s); 9 9 $closings = array('<'.'?' => '?'.'>', '<!--' => '-->', '<%' => '%>'); 10 10 $tokens = preg_split('/(<(?:!--|%|\?)|<\/\w*|<\w*|(?:-->|%>|\?'.'>|>))/', $s, -1, PREG_SPLIT_DELIM_CAPTURE); branches/mt3.34/t/11-sanitize.t
r2 r981 1 #!/usr/bin/perl -w 1 #!/usr/bin/perl 2 # $Id$ 2 3 use strict; 4 use warnings; 5 6 use Test::More tests => 53; 3 7 4 8 use MT; 5 9 use MT::Sanitize; 6 use Test;7 8 BEGIN { plan tests => 44 }9 10 10 11 my($atts, $str); 11 12 12 13 $atts = MT::Sanitize->parse_spec('a href'); 13 ok($atts->{ok}); 14 ok($atts->{ok}{a}); 15 ok($atts->{ok}{a}{href}); 14 isa_ok($atts, 'HASH'); 15 ok($atts->{ok}, '{ok}'); 16 ok($atts->{ok}{a}, '{ok}{a}'); 17 ok($atts->{ok}{a}{href}, '{ok}{a}{href}'); 16 18 17 19 $atts = MT::Sanitize->parse_spec('a href,b'); 18 ok($atts->{ok}); 19 ok($atts->{ok}{a}); 20 ok($atts->{ok}{a}{href}); 21 ok($atts->{ok}{b}); 20 isa_ok($atts, 'HASH'); 21 ok($atts->{ok}, '{ok}'); 22 ok($atts->{ok}{a}, '{ok}{a}'); 23 ok($atts->{ok}{a}{href}, '{ok}{a}{href}'); 24 ok($atts->{ok}{b}, '{ok}{b}'); 22 25 23 26 $atts = MT::Sanitize->parse_spec('br/'); 24 ok($atts->{ok}); 25 ok($atts->{ok}{br}); 26 ok($atts->{tag_attr}{br}, '/'); 27 isa_ok($atts, 'HASH'); 28 ok($atts->{ok}, '{ok}'); 29 ok($atts->{ok}{br}, '{ok}{br}'); 30 is($atts->{tag_attr}{br}, '/', '{tag_attr}{br}=/'); 27 31 28 32 $atts = MT::Sanitize->parse_spec('img/ src'); 29 ok($atts->{ok}); 30 ok($atts->{ok}{img}); 31 ok($atts->{ok}{img}{src}); 32 ok($atts->{tag_attr}{img}, '/'); 33 isa_ok($atts, 'HASH'); 34 ok($atts->{ok}, '{ok}'); 35 ok($atts->{ok}{img}, '{ok}{img}'); 36 ok($atts->{ok}{img}{src}, '{ok}{img}{src}'); 37 is($atts->{tag_attr}{img}, '/', '{tag_attr}{img}=/'); 33 38 34 39 $atts = MT::Sanitize->parse_spec('* align'); 35 ok($atts->{ok}); 36 ok($atts->{ok}{'*'}); 37 ok($atts->{ok}{'*'}{align}); 40 isa_ok($atts, 'HASH'); 41 ok($atts->{ok}, '{ok}'); 42 ok($atts->{ok}{'*'}, "{ok}{'*'}"); 43 ok($atts->{ok}{'*'}{align}, "{ok}{'*'}{align}"); 38 44 39 45 $atts = MT::Sanitize->parse_spec('p,* align'); 40 ok($atts->{ok}); 41 ok($atts->{ok}{'*'}); 42 ok($atts->{ok}{'*'}{align}); 43 ok($atts->{ok}{p}); 46 isa_ok($atts, 'HASH'); 47 ok($atts->{ok}, '{ok}'); 48 ok($atts->{ok}{'*'}, "{ok}{'*'}"); 49 ok($atts->{ok}{'*'}{align}, "{ok}{'*'}{align}"); 50 ok($atts->{ok}{p}, '{ok}{p}'); 44 51 45 ok(!MT::Sanitize->sanitize('<?php readfile("/etc/passwd") ?>'));52 is(MT::Sanitize->sanitize('<?php readfile("/etc/passwd") ?>'), '', 'php passwd'); 46 53 47 ok(!MT::Sanitize->sanitize('<? readfile("/etc/passwd") ?>'));54 is(MT::Sanitize->sanitize('<? readfile("/etc/passwd") ?>'), '', 'passwd'); 48 55 49 ok(MT::Sanitize->sanitize('passwords! <? readfile("/etc/passwd") ?>'), 'passwords! ');56 is(MT::Sanitize->sanitize('passwords! <? readfile("/etc/passwd") ?>'), 'passwords! ', 'passwords! '); 50 57 51 ok(!MT::Sanitize->sanitize('<? start some evil PHP'));58 is(MT::Sanitize->sanitize('<? start some evil PHP'), '', 'evil PHP'); 52 59 53 ok(!MT::Sanitize->sanitize('<% some ASP code %>'));60 is(MT::Sanitize->sanitize('<% some ASP code %>'), '', 'ASP code'); 54 61 55 ok(!MT::Sanitize->sanitize('<!--#exec cgi="/some/bad.cgi"-->'));62 is(MT::Sanitize->sanitize('<!--#exec cgi="/some/bad.cgi"-->'), '', 'exec cgi'); 56 63 57 ok(!MT::Sanitize->sanitize('<script src="evil.js">'));64 is(MT::Sanitize->sanitize('<script src="evil.js">'), '', 'evil.js'); 58 65 59 ok(MT::Sanitize->sanitize('foo'), 'foo');66 is(MT::Sanitize->sanitize('foo'), 'foo', 'foo'); 60 67 61 ok(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>'), 'kittens');68 is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>'), 'kittens', 'kittens'); 62 69 63 ok(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>', { ok => { a => {} } }), '<a>kittens</a>');70 is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>', { ok => { a => {} } }), '<a>kittens</a>', '<a>kittens</a>'); 64 71 65 ok(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>', { ok => { a => { href => 1 } } }), '<a href="foo.html">kittens</a>');72 is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>', { ok => { a => { href => 1 } } }), '<a href="foo.html">kittens</a>', '<a href="foo.html">kittens</a>'); 66 73 67 ok(MT::Sanitize->sanitize('<code>code</code>'), 'code');74 is(MT::Sanitize->sanitize('<code>code</code>'), 'code', 'code'); 68 75 69 ok(MT::Sanitize->sanitize('<b>bold</b>', MT::Sanitize->parse_spec('b')), '<b>bold</b>');76 is(MT::Sanitize->sanitize('<b>bold</b>', MT::Sanitize->parse_spec('b')), '<b>bold</b>', '<b>bold</b>'); 70 77 71 ok(MT::Sanitize->sanitize('Some text<br />with a line break', MT::Sanitize->parse_spec('br/')), 'Some text<br />with a line break');78 is(MT::Sanitize->sanitize('Some text<br />with a line break', MT::Sanitize->parse_spec('br/')), 'Some text<br />with a line break', 'Some text<br />with a line break'); 72 79 73 ok(MT::Sanitize->sanitize('Some text<br>with a line break', MT::Sanitize->parse_spec('br/')), 'Some text<br />with a line break');80 is(MT::Sanitize->sanitize('Some text<br>with a line break', MT::Sanitize->parse_spec('br/')), 'Some text<br />with a line break', 'Some text<br />with a line break'); 74 81 75 ok(MT::Sanitize->sanitize('<img onmouseover="killComputer()" src="foo.jpg">', MT::Sanitize->parse_spec('img/ src')), '<img src="foo.jpg" />');82 is(MT::Sanitize->sanitize('<img onmouseover="killComputer()" src="foo.jpg">', MT::Sanitize->parse_spec('img/ src')), '<img src="foo.jpg" />', '<img src="foo.jpg" />'); 76 83 77 ok(MT::Sanitize->sanitize('<img onmouseover="killComputer()" src="foo.jpg">', 'img/ src'), '<img src="foo.jpg" />');84 is(MT::Sanitize->sanitize('<img onmouseover="killComputer()" src="foo.jpg">', 'img/ src'), '<img src="foo.jpg" />', '<img src="foo.jpg" />'); 78 85 79 ok(MT::Sanitize->sanitize('<b>open bold', 'b'), '<b>open bold</b>');86 is(MT::Sanitize->sanitize('<b>open bold', 'b'), '<b>open bold</b>', '<b>open bold</b>'); 80 87 81 ok(MT::Sanitize->sanitize('<b><i>open</b> italic', 'b,i'), '<b><i>open</i></b> italic');88 is(MT::Sanitize->sanitize('<b><i>open</b> italic', 'b,i'), '<b><i>open</i></b> italic', '<b><i>open</i></b> italic'); 82 89 83 ok(MT::Sanitize->sanitize('<a><b><blockquote><i>open</b> italic', 'b,i'), '<b><i>open</i></b> italic');90 is(MT::Sanitize->sanitize('<a><b><blockquote><i>open</b> italic', 'b,i'), '<b><i>open</i></b> italic', '<b><i>open</i></b> italic'); 84 91 85 ok(MT::Sanitize->sanitize('<a href="javascript:alert(\'xxx\')">boo</a>', 'a href'), '<a>boo</a>');92 is(MT::Sanitize->sanitize('<a href="javascript:alert(\'xxx\')">boo</a>', 'a href'), '<a>boo</a>', '<a>boo</a>'); 86 93 87 ok(MT::Sanitize->sanitize('<a href="jav
ascript:alert(\'xxx\')">boo</a>', 'a href'), '<a>boo</a>');94 is(MT::Sanitize->sanitize('<a href="jav
ascript:alert(\'xxx\')">boo</a>', 'a href'), '<a>boo</a>', '<a>boo</a>'); 88 95 89 ok(MT::Sanitize->sanitize('<a href="java script.html">boo</a>', 'a href'), '<a href="java script.html">boo</a>'); 96 is(MT::Sanitize->sanitize('<a href="java script.html">boo</a>', 'a href'), '<a href="java script.html">boo</a>', '<a href="java script.html">boo</a>'); 97 98 is(MT::Sanitize->sanitize('<a href="javascript' . chr(0) . '8;alert(\'boo\')">click</a>', 'a href'), '<a>click</a>', '<a href="javascript&5(null)8;alert(\'boo\')">click</a>'); 99 100 is(MT::Sanitize->sanitize('<p><i style="x:expression:alert(\'xss\')"', 'p,i'), '<p></p>', '<p><i style="x:expression:alert(\'xss\')"'); 90 101 91 102 ### this one breaks... 92 ###ok(!MT::Sanitize->sanitize('<? /* ?> */ readfile("/etc/passwd") ?>'));103 is(MT::Sanitize->sanitize('<? /* ?> */ readfile("/etc/passwd") ?>'), ' */ readfile("/etc/passwd") ?>', 'php cloaking attempt');
