Skip to content

Commit 05378e0

Browse files
committed
Fix #17297: XSS in string_insert_hrefs
The URL matching regex in the function did not validate the protocol, allowing an attacker to use 'javascript://' to execute arbitrary code. Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and reported by Offensive Security (http://www.offensive-security.com/).
1 parent e5fc835 commit 05378e0

File tree

1 file changed

+6
-3
lines changed

1 file changed

+6
-3
lines changed

Diff for: core/string_api.php

+6-3
Original file line numberDiff line numberDiff line change
@@ -459,7 +459,8 @@ function string_process_bugnote_link( $p_string, $p_include_anchor = true, $p_de
459459
}
460460

461461
/**
462-
* Detect URLs and email addresses in the string and replace them with href anchors
462+
* Search email addresses and URLs for a few common protocols in the given
463+
* string, and replace occurences with href anchors.
463464
* @param string $p_string
464465
* @return string
465466
*/
@@ -480,8 +481,10 @@ function string_insert_hrefs( $p_string ) {
480481

481482
# Initialize static variables
482483
if ( is_null( $s_url_regex ) ) {
483-
# URL regex
484-
$t_url_protocol = '(?:[[:alpha:]][-+.[:alnum:]]*):\/\/';
484+
# URL protocol. The regex accepts a small subset from the list of valid
485+
# IANA permanent and provisional schemes defined in
486+
# http://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
487+
$t_url_protocol = '(?:https?|s?ftp|file|irc[6s]?|ssh|telnet|nntp|git|svn(?:\+ssh)?|cvs):\/\/';
485488

486489
# %2A notation in url's
487490
$t_url_hex = '%[[:digit:]A-Fa-f]{2}';

0 commit comments

Comments
 (0)