Permalink
Browse files

Fix #17297: XSS in string_insert_hrefs

The URL matching regex in the function did not validate the protocol,
allowing an attacker to use 'javascript://' to execute arbitrary code.

Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me)
and reported by Offensive Security (http://www.offensive-security.com/).
  • Loading branch information...
dregad committed Nov 28, 2014
1 parent e5fc835 commit 05378e00313a8c591de19e74a4212473a8c6a7dd
Showing with 6 additions and 3 deletions.
  1. +6 −3 core/string_api.php
View
@@ -459,7 +459,8 @@ function string_process_bugnote_link( $p_string, $p_include_anchor = true, $p_de
}
/**
* Detect URLs and email addresses in the string and replace them with href anchors
* Search email addresses and URLs for a few common protocols in the given
* string, and replace occurences with href anchors.
* @param string $p_string
* @return string
*/
@@ -480,8 +481,10 @@ function string_insert_hrefs( $p_string ) {
# Initialize static variables
if ( is_null( $s_url_regex ) ) {
# URL regex
$t_url_protocol = '(?:[[:alpha:]][-+.[:alnum:]]*):\/\/';
# URL protocol. The regex accepts a small subset from the list of valid
# IANA permanent and provisional schemes defined in
# http://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
$t_url_protocol = '(?:https?|s?ftp|file|irc[6s]?|ssh|telnet|nntp|git|svn(?:\+ssh)?|cvs):\/\/';
# %2A notation in url's
$t_url_hex = '%[[:digit:]A-Fa-f]{2}';

0 comments on commit 05378e0

Please sign in to comment.