Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F4307607
T119158-part2-REL1_23.patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Bawolff
Jul 26 2016, 1:45 AM
2016-07-26 01:45:02 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T119158-part2-REL1_23.patch
View Options
From d8260c429d5cce11b9284f337b749ee50a064355 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sun, 24 Jan 2016 09:56:25 -0500
Subject: [PATCH] SECURITY: Use more complicated regex for detecting html
(Hopefully will detect if there is an unescaped '>' inside attribute)
Bug: T119158
Change-Id: Iabbd926eab13a218bf92b20b54d83f611c3e4830
---
languages/LanguageConverter.php | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/languages/LanguageConverter.php b/languages/LanguageConverter.php
index ade9419..ac0c868 100644
--- a/languages/LanguageConverter.php
+++ b/languages/LanguageConverter.php
@@ -381,9 +381,12 @@ class LanguageConverter {
$scriptfix = '<script[^>]*+>[^<]*+(?:(?:(?!<\/script>).)[^<]*+)*+<\/script>|';
// disable conversion of <pre> tags
$prefix = '<pre[^>]*+>[^<]*+(?:(?:(?!<\/pre>).)[^<]*+)*+<\/pre>|';
+ // The "|.*+)" at the end, is in case we missed some part of html syntax,
+ // we will fail securely (hopefully) by matching the rest of the string.
+ $htmlFullTag = '<(?:[^>=]*+(?>[^>=]*+=\s*+(?:"[^"]*"|\'[^\']*\'|[^\'">\s]*+))*+[^>=]*+>|.*+)|';
- $reg = '/' . $codefix . $scriptfix . $prefix .
- '<[^>]++>|&[a-zA-Z#][a-z0-9]++;' . $marker . $htmlfix . '|\004$/s';
+ $reg = '/' . $codefix . $scriptfix . $prefix . $htmlFullTag .
+ '&[a-zA-Z#][a-z0-9]++;' . $marker . $htmlfix . '|\004$/s';
$startPos = 0;
$sourceBlob = '';
$literalBlob = '';
--
1.9.5 (Apple Git-50.3)
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3885991
Default Alt Text
T119158-part2-REL1_23.patch (1 KB)
Attached To
Mode
T119158: Language converter: unsafe attribute injection via glossary rules (CVE-2017-8815)
Attached
Detach File
Event Timeline
Log In to Comment