Skip to content

Commit

Permalink
SQLインジェクション、コマンドインジェクション、他の脆弱性を改善
Browse files Browse the repository at this point in the history
- インストール時にdatabase.phpに書き込む文字列のサニタイズを追加
- サイト内検索のSQLインジェクションの脆弱性を改善
- ファイルアップロード以外にてファイル情報が送信された場合の検証を追加
  • Loading branch information
seto1 committed Aug 10, 2017
1 parent 27230e7 commit b5ca3ee
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 20 deletions.
5 changes: 5 additions & 0 deletions lib/Baser/Controller/Component/BcManagerComponent.php
Original file line number Diff line number Diff line change
Expand Up @@ -415,6 +415,11 @@ public function createDatabaseConfig($options = array()) {
'encoding' => 'utf8'
), $options);

// 入力された文字列よりPHPプログラムファイルを生成するため'(シングルクオート)をサニタイズ
foreach($options as $key => $option) {
$options[$key] = str_replace("'", "\\'", $option);
}

extract($options);

$datasource = $this->getDatasourceName($datasource);
Expand Down
26 changes: 7 additions & 19 deletions lib/Baser/Controller/SearchIndicesController.php
Original file line number Diff line number Diff line change
Expand Up @@ -169,31 +169,19 @@ protected function _createSearchConditions($data) {
$query = $data['SearchIndex']['q'];
}
if (!empty($data['SearchIndex']['cf'])) {
$data['SearchIndex']['content_filter_id'] = $data['SearchIndex']['cf'];
$conditions['SearchIndex.content_filter_id'] = $data['SearchIndex']['cf'];
}
if (!empty($data['SearchIndex']['m'])) {
$data['SearchIndex']['model'] = $data['SearchIndex']['m'];
$conditions['SearchIndex.model'] = $data['SearchIndex']['m'];
}
if (isset($data['SearchIndex']['s'])) {
$data['SearchIndex']['site_id'] = $data['SearchIndex']['s'];
$conditions['SearchIndex.site_id'] = $data['SearchIndex']['s'];
}
if (!empty($data['SearchIndex']['f'])) {
$content = $this->Content->find('first', ['fields' => ['lft', 'rght'], 'conditions' => ['Content.id' => $data['SearchIndex']['f']], 'recursive' => -1]);
$data['SearchIndex']['rght <'] = $content['Content']['rght'];
$data['SearchIndex']['lft >'] = $content['Content']['lft'];
$conditions['SearchIndex.rght <'] = $data['SearchIndex']['rght'];
$conditions['SearchIndex.lft >'] = $data['SearchIndex']['lft'];
}

unset($data['SearchIndex']['key']);
unset($data['SearchIndex']['fields']);
unset($data['SearchIndex']['_Token']);
unset($data['SearchIndex']['q']);
unset($data['SearchIndex']['cf']);
unset($data['SearchIndex']['m']);
unset($data['SearchIndex']['f']);
unset($data['SearchIndex']['s']);

$conditions = am($conditions, $this->postConditions($data));

if ($query) {
$query = $this->_parseQuery($query);
foreach ($query as $key => $value) {
Expand Down Expand Up @@ -430,8 +418,8 @@ protected function _createAdminIndexConditions($data) {
unset($data['SearchIndex'][$key]);
}
}
if ($data['SearchIndex']) {
$conditions = $this->postConditions($data);
if(isset($data['SearchIndex']['priority'])) {
$conditions['SearchIndex.priority'] = $data['SearchIndex']['priority'];
}
if ($type) {
$conditions['SearchIndex.type'] = $type;
Expand Down
37 changes: 36 additions & 1 deletion lib/Baser/Plugin/Mail/Controller/MailController.php
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,11 @@ public function confirm($id = null) {
} else {
// 入力データを整形し、モデルに引き渡す
$this->request->data = $this->MailMessage->create($this->MailMessage->autoConvert($this->request->data));

// fileタイプへの送信データ検証
if (!$this->_checkDirectoryRraversal()) {
$this->redirect($this->request->params['Content']['url'] . '/index');
}

// 画像認証を行う
if ($this->request->params['Site']['name'] != 'mobile' && $this->dbDatas['mailContent']['MailContent']['auth_captcha']) {
Expand Down Expand Up @@ -309,7 +314,12 @@ public function submit($id = null) {
unset($this->request->data['MailMessage']['auth_captcha']);
}
}


// fileタイプへの送信データ検証
if (!$this->_checkDirectoryRraversal()) {
$this->redirect($this->request->params['Content']['url'] . '/index');
}

$this->MailMessage->create($this->request->data);

// データの入力チェックを行う
Expand Down Expand Up @@ -515,6 +525,31 @@ protected function _sendEmail() {
$this->sendMail($adminMail, $mailContent['subject_admin'], $data, $options);
}
}

/**
* ファイルフィールドのデータがアップロードされたファイルパスであることを検証する
*
* @return boolean
*/
private function _checkDirectoryRraversal() {
if (!isset($this->dbDatas['mailFields'])
|| !is_array($this->dbDatas['mailFields'])
|| empty($this->MailMessage->Behaviors->BcUpload->settings['MailMessage'])) {
return false;
}

$settings = $this->MailMessage->Behaviors->BcUpload->settings['MailMessage'];

foreach($this->dbDatas['mailFields'] as $mailField) {
if ($mailField['MailField']['type'] == 'file' &&
!empty($this->request->data['MailMessage'][$mailField['MailField']['field_name']]['tmp_name'])) {
if (!is_uploaded_file($this->request->data['MailMessage'][$mailField['MailField']['field_name']]['tmp_name'])) {
return false;
}
}
}
return true;
}

/**
* 認証用のキャプチャ画像を表示する
Expand Down

0 comments on commit b5ca3ee

Please sign in to comment.