20180518脆弱性対応

baserproject · May 14, 2018 · aa950ba · aa950ba
1 parent 2d6c107
commit aa950ba
Show file tree

Hide file tree

Showing 40 changed files with 172 additions and 88 deletions.
diff --git a/lib/Baser/Config/setting.php b/lib/Baser/Config/setting.php
@@ -54,6 +54,8 @@
 	// 固定ページでシンタックスエラーチェックを行うかどうか
 	// お名前ドットコムの場合、CLI版PHPの存在確認の段階で固まってしまう
 	'validSyntaxWithPage' => true,
+	// 管理者以外のPHPコードを許可するかどうか
+	'allowedPhpOtherThanAdmins' => true,
 	'marketThemeRss' => 'https://market.basercms.net/themes.rss',
 	'marketPluginRss' => 'https://market.basercms.net/plugins.rss',
 	'specialThanks' => 'https://basercms.net/special_thanks/special_thanks/ajax_users'

diff --git a/lib/Baser/Config/theme/bc_sample/Elements/crumbs.php b/lib/Baser/Config/theme/bc_sample/Elements/crumbs.php
@@ -23,10 +23,10 @@
 			}
 			if ($this->BcArray->last($crumbs, $key)) {
 				if ($this->viewPath != 'home' && $crumb['name']) {
-					$this->BcBaser->addCrumb('<strong>' . $crumb['name'] . '</strong>');
+					$this->BcBaser->addCrumb('<strong>' . h($crumb['name']) . '</strong>');
 				}
 			} else {
-				$this->BcBaser->addCrumb($crumb['name'], $crumb['url']);
+				$this->BcBaser->addCrumb(h($crumb['name']), $crumb['url']);
 			}
 		}
 	}

diff --git a/lib/Baser/Config/theme/bc_sample/Elements/smartphone/widgets/blog_author_archives.php b/lib/Baser/Config/theme/bc_sample/Elements/smartphone/widgets/blog_author_archives.php
@@ -38,13 +38,13 @@
 					$class = '';
 				}
 				if ($view_count) {
-					$title = $this->BcBaser->getUserName($author['User']) . ' (' . $author['count'] . ')';
+					$title = h($this->BcBaser->getUserName($author['User'])) . ' (' . $author['count'] . ')';
 				} else {
-					$title = $this->BcBaser->getUserName($author['User']);
+					$title = h($this->BcBaser->getUserName($author['User']));
 				}
 				?>
 				<li<?php echo $class ?>>
-					<?php $this->BcBaser->link($title, $this->request->params['Content']['name'] . '/archives/author/' . $author['User']['name']) ?>
+					<?php $this->BcBaser->link($title, $this->request->params['Content']['name'] . '/archives/author/' . $author['User']['name'], ['escape' => true]) ?>
 				</li>
 			<?php endforeach; ?>
 		</ul>

diff --git a/lib/Baser/Config/theme/bc_sample/Elements/widgets/blog_author_archives.php b/lib/Baser/Config/theme/bc_sample/Elements/widgets/blog_author_archives.php
@@ -40,13 +40,13 @@
 					$class = '';
 				}
 				if ($view_count) {
-					$title = $this->BcBaser->getUserName($author['User']) . ' (' . $author['count'] . ')';
+					$title = h($this->BcBaser->getUserName($author['User'])) . ' (' . $author['count'] . ')';
 				} else {
-					$title = $this->BcBaser->getUserName($author['User']);
+					$title = h($this->BcBaser->getUserName($author['User']));
 				}
 				?>
 				<li<?php echo $class ?>>
-					<?php $this->BcBaser->link($title, $baseCurrentUrl . $author['User']['name']) ?>
+					<?php $this->BcBaser->link($title, $baseCurrentUrl . $author['User']['name'], ['escape' => true]) ?>
 				</li>
 			<?php endforeach; ?>
 		</ul>

diff --git a/lib/Baser/Config/theme/bccolumn/Elements/crumbs.php b/lib/Baser/Config/theme/bccolumn/Elements/crumbs.php
@@ -10,12 +10,12 @@
 		foreach ($crumbs as $key => $crumb) {
 			if ($this->BcArray->last($crumbs, $key)) {
 				if ($this->viewPath != 'home' && $crumb['name']) {
-					$this->BcBaser->addCrumb($crumb['name']);
+					$this->BcBaser->addCrumb(h($crumb['name']));
 				} elseif ($this->name == 'CakeError') {
 					$this->BcBaser->addCrumb('<strong>404 NOT FOUND</strong>');
 				}
 			} else {
-				$this->BcBaser->addCrumb($crumb['name'], $crumb['url']);
+				$this->BcBaser->addCrumb(h($crumb['name']), $crumb['url']);
 			}
 		}
 	}

diff --git a/lib/Baser/Config/theme/nada-icons/Elements/crumbs.php b/lib/Baser/Config/theme/nada-icons/Elements/crumbs.php
@@ -10,12 +10,12 @@
 		foreach ($crumbs as $key => $crumb) {
 			if ($this->BcArray->last($crumbs, $key)) {
 				if ($this->viewPath != 'home' && $crumb['name']) {
-					$this->BcBaser->addCrumb($crumb['name']);
+					$this->BcBaser->addCrumb(h($crumb['name']));
 				} elseif ($this->name == 'CakeError') {
 					$this->BcBaser->addCrumb('<strong>404 NOT FOUND</strong>');
 				}
 			} else {
-				$this->BcBaser->addCrumb($crumb['name'], $crumb['url']);
+				$this->BcBaser->addCrumb(h($crumb['name']), $crumb['url']);
 			}
 		}
 	}

diff --git a/lib/Baser/Controller/Component/BcManagerComponent.php b/lib/Baser/Controller/Component/BcManagerComponent.php
@@ -496,6 +496,7 @@ public function createInstallFile($securitySalt, $secrityCipherSeed, $siteUrl =
 			"Configure::write('BcEnv.sslUrl', '');",
 			"Configure::write('BcEnv.mainDomain', '');",
 			"Configure::write('BcApp.adminSsl', false);",
+			"Configure::write('BcApp.allowedPhpOtherThanAdmins', false);",
 			"Cache::config('default', array('engine' => 'File'));",
 			"Configure::write('debug', 0);"
 		];

diff --git a/lib/Baser/Lib/BcSite.php b/lib/Baser/Lib/BcSite.php
@@ -406,9 +406,9 @@ public function existsUrl(CakeRequest $request) {
 	public function makeUrl(CakeRequest $request) {
 		$here = $request->here(false);
 		if($this->alias) {
-			return "/{$this->alias}{$here}";
+			return h("/{$this->alias}{$here}");
 		} else {
-			return $here;
+			return h($here);
 		}
 	}
 

diff --git a/lib/Baser/Locale/baser.pot b/lib/Baser/Locale/baser.pot
@@ -4991,7 +4991,7 @@ msgid "更新に失敗しました。入力内容を見直してください。"
 msgstr ""
 
 #: Plugin/Uploader/View/Elements/admin/uploader_files/index.php:23
-msgid "アップロードに失敗しました。ファイルサイズを確認してください。"
+msgid "アップロードに失敗しました。ファイルサイズが大きいか、許可されていない形式です。"
 msgstr ""
 
 #: Plugin/Uploader/View/Elements/admin/uploader_files/index.php:24

diff --git a/lib/Baser/Locale/eng/LC_MESSAGES/baser.mo b/lib/Baser/Locale/eng/LC_MESSAGES/baser.mo
diff --git a/lib/Baser/Locale/eng/LC_MESSAGES/baser.po b/lib/Baser/Locale/eng/LC_MESSAGES/baser.po
@@ -5,14 +5,14 @@ msgid ""
 msgstr ""
 "Project-Id-Version: baserCMS\n"
 "POT-Creation-Date: \n"
-"PO-Revision-Date: 2018-03-20 15:39+0900\n"
-"Last-Translator: \n"
+"PO-Revision-Date: 2018-04-30 01:46+0900\n"
+"Last-Translator: ryuring\n"
 "Language-Team: baserCMS Users Community <info@basercms.net>\n"
 "Language: en\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Poedit 2.0.6\n"
+"X-Generator: Poedit 2.0.5\n"
 
 #: basics.php:772
 msgid "baserCMSアップデート"
@@ -5471,7 +5471,9 @@ msgid "更新に失敗しました。入力内容を見直してください。"
 msgstr "Failed updating. Please check entered content."
 
 #: Plugin/Uploader/View/Elements/admin/uploader_files/index.php:23
-msgid "アップロードに失敗しました。ファイルサイズを確認してください。"
+msgid ""
+"アップロードに失敗しました。ファイルサイズが大きいか、許可されていない形式で"
+"す。"
 msgstr "Failed uploading. Please check file size."
 
 #: Plugin/Uploader/View/Elements/admin/uploader_files/index.php:24

diff --git a/lib/Baser/Model/BcAppModel.php b/lib/Baser/Model/BcAppModel.php
@@ -1749,5 +1749,23 @@ public function sanitize($value) {
 			return $value;
 		}
 	}
+
+/**
+ * スクリプトがが埋め込まれているかチェックする
+ * - 管理グループの場合は無条件に true を返却
+ * - 管理グループ以外の場合に許可されている場合は無条件に true を返却
+ * @param array $check
+ * @return bool
+ */
+	public function containsScript($check) {
+		if(BcUtil::isAdminUser() || Configure::read('BcApp.allowedPhpOtherThanAdmins')) {
+			return true;
+		}
+		$value = $check[key($check)];
+		if(preg_match('/(<\?=|<\?php|<script)/', $value)) {
+			return false;
+		}
+		return true;
+	}
 
 }
diff --git a/lib/Baser/Model/Page.php b/lib/Baser/Model/Page.php
@@ -86,11 +86,16 @@ public function __construct($id = false, $table = null, $ds = null) {
 			'id' => [
 				['rule' => 'numeric', 'on' => 'update', 'message' => __d('baser', 'IDに不正な値が利用されています。')]],
 			'contents' => [
-				['rule' => 'phpValidSyntax', 'message' => __d('baser', 'PHPの構文エラーが発生しました。')],
-				['rule' => ['maxByte', 64000], 'message' => __d('baser', '本稿欄に保存できるデータ量を超えています。')]],
+				['rule' => 'phpValidSyntax', 'message' => __d('baser', '本稿欄でPHPの構文エラーが発生しました。')],
+				['rule' => ['maxByte', 64000], 'message' => __d('baser', '本稿欄に保存できるデータ量を超えています。')],
+				['rule' => 'containsScript', 'message' => __d('baser', '本稿欄でスクリプトの入力は許可されていません。')]],
 			'draft' => [
+				['rule' => 'phpValidSyntax', 'message' => __d('baser', '草稿欄でPHPの構文エラーが発生しました。')],
+				['rule' => ['maxByte', 64000], 'message' => __d('baser', '草稿欄に保存できるデータ量を超えています。')],
+				['rule' => 'containsScript', 'message' => __d('baser', '草稿欄でスクリプトの入力は許可されていません。')]],
+			'code' => [
 				['rule' => 'phpValidSyntax', 'message' => __d('baser', 'PHPの構文エラーが発生しました。')],
-				['rule' => ['maxByte', 64000], 'message' => __d('baser', '草稿欄に保存できるデータ量を超えています。')]]
+				['rule' => 'containsScript', 'message' => __d('baser', 'スクリプトの入力は許可されていません。')]]
 		];
 	}
 

diff --git a/lib/Baser/Plugin/Blog/Controller/BlogController.php b/lib/Baser/Plugin/Blog/Controller/BlogController.php
@@ -307,8 +307,7 @@ public function archives() {
 				$data = $this->BlogPost->User->find('first', ['fields' => ['real_name_1', 'real_name_2', 'nickname'], 'conditions' => ['User.name' => $author]]);
 				App::uses('BcBaserHelper', 'View/Helper');
 				$BcBaser = new BcBaserHelper(new View());
-				$userName = $BcBaser->getUserName($data);
-				$this->pageTitle = urldecode($userName);
+				$this->pageTitle = $BcBaser->getUserName($data);
 				$template = $this->blogContent['BlogContent']['template'] . DS . 'archives';
 				$this->set('blogArchiveType', $type);
 				break;

diff --git a/lib/Baser/Plugin/Blog/View/Blog/smartphone/default/posts.php b/lib/Baser/Plugin/Blog/View/Blog/smartphone/default/posts.php
@@ -29,7 +29,7 @@
 				<?php $class[] = 'last' ?>
 			<?php endif ?>
 			<li class="<?php echo implode(' ', $class) ?>">
-				<?php $this->Blog->postLink($post, '<span class="date">' . $this->Blog->getPostDate($post, 'Y.m.d') . '</span><br />' . '<span class="title">' . $this->Blog->getPostTitle($post, false) . '</span>') ?>
+				<?php $this->Blog->postLink($post, '<span class="date">' . $this->Blog->getPostDate($post, 'Y.m.d') . '</span><br />' . '<span class="title">' . $this->Blog->getPostTitle($post, false) . '</span>', ['escape' => false]) ?>
 			</li>
 		<?php endforeach ?>
 	</ul>

diff --git a/lib/Baser/Plugin/Blog/View/Elements/admin/blog_posts/index_row.php b/lib/Baser/Plugin/Blog/View/Elements/admin/blog_posts/index_row.php
@@ -34,17 +34,17 @@
 	<td class="eye_catch"><?php echo $this->BcUpload->uploadImage('BlogPost.eye_catch',  $data['BlogPost']['eye_catch'], ['imgsize' => 'mobile_thumb']) ?></td>
 	<td>
 		<?php if (!empty($data['BlogCategory']['title'])): ?>
-			<?php echo $data['BlogCategory']['title']; ?>
+			<?php echo h($data['BlogCategory']['title']); ?>
 		<?php endif; ?>
 		<?php if ($data['BlogContent']['tag_use'] && !empty($data['BlogTag'])): ?>
 			<?php $tags = Hash::extract($data['BlogTag'], '{n}.name') ?>
 			<span class="tag"><?php echo implode('</span><span class="tag">', h($tags)) ?></span>
 		<?php endif ?>
 		<br />
-		<?php $this->BcBaser->link($data['BlogPost']['name'], ['action' => 'edit', $data['BlogContent']['id'], $data['BlogPost']['id']]) ?>
+		<?php $this->BcBaser->link($data['BlogPost']['name'], ['action' => 'edit', $data['BlogContent']['id'], $data['BlogPost']['id']], ['escape' => true]) ?>
 	</td>
 	<td style="text-align:center" class="status">
-		<?php echo $this->BcBaser->getUserName($data['User']) ?><br>
+		<?php echo h($this->BcBaser->getUserName($data['User'])) ?><br>
         <?php echo $this->BcText->booleanMark($data['BlogPost']['status']); ?>
 	</td>
 

diff --git a/lib/Baser/Plugin/Blog/View/Elements/widgets/blog_author_archives.php b/lib/Baser/Plugin/Blog/View/Elements/widgets/blog_author_archives.php
@@ -43,13 +43,13 @@
 					$class = '';
 				}
 				if ($view_count) {
-					$title = $this->BcBaser->getUserName($author['User']) . ' (' . $author['count'] . ')';
+					$title = h($this->BcBaser->getUserName($author['User'])) . ' (' . $author['count'] . ')';
 				} else {
-					$title = $this->BcBaser->getUserName($author['User']);
+					$title = h($this->BcBaser->getUserName($author['User']));
 				}
 				?>
 				<li<?php echo $class ?>>
-					<?php $this->BcBaser->link($title, $baseCurrentUrl . $author['User']['name']) ?>
+					<?php $this->BcBaser->link($title, $baseCurrentUrl . $author['User']['name'], ['escape' => true]) ?>
 				</li>
 			<?php endforeach; ?>
 		</ul>

diff --git a/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php b/lib/Baser/Plugin/Blog/View/Helper/BlogHelper.php
@@ -219,6 +219,10 @@ public function getPostTitle($post, $link = true) {
  * @return string 記事へのリンク
  */
 	public function getPostLink($post, $title, $options = []) {
+		$options = array_merge([
+			'escape' => true
+		], $options);
+
 		$url = $this->getPostLinkUrl($post, false);
 
 		// EVENT beforeGetPostLink
@@ -471,7 +475,7 @@ public function getTag($post, $options = []) {
 		if (!empty($post['BlogTag'])) {
 			foreach ($post['BlogTag'] as $tag) {
 				if($options['link']) {
-					$tags[] = $this->BcBaser->getLink($tag['name'], $this->getTagLinkUrl($crossingId, $tag, false));	
+					$tags[] = $this->BcBaser->getLink($tag['name'], $this->getTagLinkUrl($crossingId, $tag, false), ['escape' => true]);	
 				} else {
 					$tags[] = [
 						'name' => $tag['name'],
@@ -563,7 +567,7 @@ public function getPostDate($post, $format = 'Y/m/d') {
  * @return void
  */
 	public function author($post) {
-		echo $this->BcBaser->getUserName($post['User']);
+		echo h($this->BcBaser->getUserName($post['User']));
 	}
 
 /**

diff --git a/lib/Baser/Plugin/Mail/Controller/MailFieldsController.php b/lib/Baser/Plugin/Mail/Controller/MailFieldsController.php
@@ -63,6 +63,7 @@ class MailFieldsController extends MailAppController {
  */
 	public function beforeFilter() {
 		parent::beforeFilter();
+		$this->_checkEnv();
 		$this->MailContent->recursive = -1;
 		$mailContentId = $this->params['pass'][0];
 		$this->mailContent = $this->MailContent->read(null, $mailContentId);
@@ -73,6 +74,27 @@ public function beforeFilter() {
 		}
 	}
 
+/**
+ * プラグインの環境をチェックする
+ */
+	protected function _checkEnv() {
+		$savePath = WWW_ROOT . 'files' . DS . "mail" . DS . 'limited';
+		if(!is_dir($savePath)) {
+			$Folder = new Folder();
+			$Folder->create($savePath, 0777);
+			if(!is_dir($savePath)) {
+				$this->setMessage('ファイルフィールドを利用している場合、現在、フォームより送信したファイルフィールドのデータは公開された状態となっています。URLを直接閲覧すると参照できてしまいます。参照されないようにする為には、' . WWW_ROOT . 'files/mail/ に書き込み権限を与えてください。', true);
+			}
+			$File = new File($savePath . DS . '.htaccess');
+			$htaccess = "Order allow,deny\nDeny from all";
+			$File->write($htaccess);
+			$File->close();
+			if(!file_exists($savePath . DS . '.htaccess')) {
+				$this->setMessage('ファイルフィールドを利用している場合、現在、フォームより送信したファイルフィールドのデータは公開された状態となっています。URLを直接閲覧すると参照できてしまいます。参照されないようにする為には、' . WWW_ROOT . 'files/mail/limited/ に書き込み権限を与えてください。', true);
+			}
+		}
+	}
+
 /**
  * beforeRender
  *

diff --git a/lib/Baser/Plugin/Uploader/Config/setting.php b/lib/Baser/Plugin/Uploader/Config/setting.php
@@ -24,7 +24,10 @@
 					'url' => array('admin' => true, 'plugin' => 'uploader', 'controller' => 'uploader_categories', 'action' => 'add')),
 				array('name' => __d('baser', '基本設定'),
 					'url' => array('admin' => true, 'plugin' => 'uploader', 'controller' => 'uploader_configs', 'action' => 'index')),
-		)
+		),
 	);
-
+	$config['Uploader'] = [
+		// システム管理者グループ以外のユーザーがアップロード可能なファイル（拡張子をカンマ区切りで指定する）
+		'allowedExt' => 'gif,jpg,png,pdf,zip,doc,docx,xls,xlsx,ppt,pptx'
+	];
 ?>
diff --git a/lib/Baser/Plugin/Uploader/Controller/UploaderFilesController.php b/lib/Baser/Plugin/Uploader/Controller/UploaderFilesController.php
@@ -76,8 +76,31 @@ public function __construct($request = null, $response = null) {
 
 	public function beforeFilter() {
 		$this->BcAuth->allow('view_limited_file');
+		$this->_checkEnv();
 		parent::beforeFilter();
 	}
+
+/**
+ * プラグインの環境をチェックする 
+ */
+	protected function _checkEnv() {
+		$savePath = WWW_ROOT . 'files' . DS . $this->UploaderFile->actsAs['BcUpload']['saveDir'] . DS;
+		if(!is_dir($savePath . 'limited')) {
+			$Folder = new Folder();
+			$Folder->create($savePath . 'limited', 0777);
+			if(!is_dir($savePath . 'limited')) {
+				$this->setMessage('現在、アップロードファイルの公開期間の指定ができません。指定できるようにするには、' . $savePath . ' に書き込み権限を与えてください。', true);
+			}
+			$File = new File($savePath . 'limited' . DS . '.htaccess');
+			$htaccess = "Order allow,deny\nDeny from all";
+			$File->write($htaccess);
+			$File->close();
+			if(!file_exists($savePath . 'limited' . DS . '.htaccess')) {
+				$this->setMessage('現在、アップロードファイルの公開期間の指定ができません。指定できるようにするには、' . $savePath . 'limited/ に書き込み権限を与えてください。', true);
+			}
+		}
+	}
+
 /**
  * [ADMIN] ファイル一覧
  *