Skip to content

Commit

Permalink
SQLインジェクション、コマンドインジェクション、他の脆弱性を改善
Browse files Browse the repository at this point in the history
- インストール時にdatabase.phpに書き込む文字列のサニタイズを追加
- サイト内検索のSQLインジェクションの脆弱性を改善
- ファイルアップロード以外にてファイル情報が送信された場合の検証を追加
  • Loading branch information
seto1 committed Aug 10, 2017
1 parent 07cfcd2 commit d3161d9
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 23 deletions.
5 changes: 5 additions & 0 deletions lib/Baser/Controller/Component/BcManagerComponent.php
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,11 @@ public function createDatabaseConfig($options = array()) {
'encoding' => 'utf8'
), $options);

// 入力された文字列よりPHPプログラムファイルを生成するため'(シングルクオート)をサニタイズ
foreach($options as $key => $option) {
$options[$key] = str_replace("'", "\\'", $option);
}

extract($options);

$datasource = $this->getDatasourceName($datasource);
Expand Down
6 changes: 2 additions & 4 deletions lib/Baser/Controller/ContentsController.php
Original file line number Diff line number Diff line change
Expand Up @@ -156,19 +156,17 @@ protected function _createSearchConditions($data) {
}
if (isset($data['Content']['c'])) {
if ($data['Content']['c']) {
$data['Content']['category'] = $data['Content']['c'];
$conditions['Content.category'] = $data['Content']['c'];
}
unset($data['Content']['c']);
}
if (isset($data['Content']['m'])) {
if ($data['Content']['m']) {
$data['Content']['model'] = $data['Content']['m'];
$conditions['Content.model'] = $data['Content']['m'];
}
unset($data['Content']['m']);
}

$conditions = am($conditions, $this->postConditions($data));

if ($query) {
$query = $this->_parseQuery($query);
foreach ($query as $key => $value) {
Expand Down
19 changes: 0 additions & 19 deletions lib/Baser/Plugin/Blog/Controller/BlogController.php
Original file line number Diff line number Diff line change
Expand Up @@ -676,25 +676,6 @@ protected function _getBlogPosts($options = array()) {
$num = 1;
}

unset($_conditions['author']);
unset($_conditions['category']);
unset($_conditions['tag']);
unset($_conditions['keyword']);
unset($_conditions['year']);
unset($_conditions['month']);
unset($_conditions['day']);
unset($_conditions['id']);
unset($_conditions['page']);
unset($_conditions['num']);
unset($_conditions['sort']);
unset($_conditions['direction']);
unset($_conditions['contentId']);

if ($_conditions) {
// とりあえず BlogPost のフィールド固定
$conditions = array_merge($conditions, $this->postConditions(array('BlogPost' => $_conditions)));
}

// プレビューの場合は公開ステータスを条件にしない
if (!$this->preview) {
$conditions = array_merge($conditions, array('BlogContent.status' => true));
Expand Down
35 changes: 35 additions & 0 deletions lib/Baser/Plugin/Mail/Controller/MailController.php
Original file line number Diff line number Diff line change
Expand Up @@ -284,6 +284,11 @@ public function confirm($id = null) {
// 入力データを整形し、モデルに引き渡す
$this->request->data = $this->Message->create($this->Message->autoConvert($this->request->data));

// fileタイプへの送信データ検証
if (!$this->_checkDirectoryRraversal()) {
$this->redirect(array('action' => 'index', $id));
}

// 画像認証を行う
if (Configure::read('BcRequest.agent') != 'mobile' && $this->dbDatas['mailContent']['MailContent']['auth_captcha']) {
$captchaResult = $this->BcCaptcha->check($this->request->data['Message']['auth_captcha']);
Expand Down Expand Up @@ -376,6 +381,11 @@ public function submit($id = null) {
}
}

// fileタイプへの送信データ検証
if (!$this->_checkDirectoryRraversal()) {
$this->redirect(array('action' => 'index', $id));
}

$this->Message->create($this->request->data);

// データの入力チェックを行う
Expand Down Expand Up @@ -592,6 +602,31 @@ protected function _sendEmail() {
}
}

/**
* ファイルフィールドのデータがアップロードされたファイルパスであることを検証する
*
* @return boolean
*/
private function _checkDirectoryRraversal() {
if (!isset($this->dbDatas['mailFields'])
|| !is_array($this->dbDatas['mailFields'])
|| empty($this->Message->Behaviors->BcUpload->settings['Message'])) {
return false;
}

$settings = $this->Message->Behaviors->BcUpload->settings['Message'];

foreach($this->dbDatas['mailFields'] as $mailField) {
if ($mailField['MailField']['type'] == 'file' &&
!empty($this->request->data['Message'][$mailField['MailField']['field_name']]['tmp_name'])) {
if (!is_uploaded_file($this->request->data['Message'][$mailField['MailField']['field_name']]['tmp_name'])) {
return false;
}
}
}
return true;
}

/**
* 認証用のキャプチャ画像を表示する
*
Expand Down

0 comments on commit d3161d9

Please sign in to comment.