Skip to content
Permalink
Browse files

Fix remote code execution by auth'd users

Some fields in the datasource editor and in the event editor were not properly
sanitized, leading to php code inclusion when usign crafted values like ');};phpinfo();/*

This commit aims to fix this, by making sure all user supplied values
are saved with escaped single quotes.

Fixes #2655

Also, 2 errors were not showing up in the DS editor UI, max_records and
page_number.
  • Loading branch information...
nitriques committed Apr 10, 2017
1 parent 3b30f8e commit e30a18f8f09dca836e141bf126a26e565c9a2bc7
Showing with 44 additions and 16 deletions.
  1. +36 −12 symphony/content/content.blueprintsdatasources.php
  2. +8 −4 symphony/content/content.blueprintsevents.php
@@ -67,7 +67,14 @@ public function __form()
$providers = Symphony::ExtensionManager()->getProvidersOf(iProvider::DATASOURCE);
$isEditing = false;
$about = $handle = null;
$fields = array('name'=>null, 'source'=>null, 'filter'=>null, 'required_url_param'=>null, 'negate_url_param'=>null, 'param'=>null);
$fields = array(
'name' => null,
'source' => null,
'filter'=> null,
'required_url_param' => null,
'negate_url_param' => null,
'param' => null,
);
if (isset($_POST['fields'])) {
$fields = $_POST['fields'];
@@ -731,7 +738,11 @@ public function __form()
'data-trigger' => '{$'
));
$label->appendChild($input);
$group->appendChild($label);
if (isset($this->_errors['max_records'])) {
$group->appendChild(Widget::Error($label, $this->_errors['max_records']));
} else {
$group->appendChild($label);
}
$label = Widget::Label(__('Page Number'));
$label->setAttribute('class', 'column ds-param');
@@ -741,7 +752,11 @@ public function __form()
'data-trigger' => '{$'
));
$label->appendChild($input);
$group->appendChild($label);
if (isset($this->_errors['page_number'])) {
$group->appendChild(Widget::Error($label, $this->_errors['page_number']));
} else {
$group->appendChild($label);
}
$fieldset->appendChild($group);
@@ -1322,11 +1337,12 @@ public function __formAction()
if (preg_match_all('@(\$ds-[0-9a-z_\.\-]+)@i', $dsShell, $matches)) {
$dependencies = General::array_remove_duplicates($matches[1]);
$dependencies = array_map('addslashes', $dependencies);
$dsShell = str_replace('<!-- DS DEPENDENCY LIST -->', "'" . implode("', '", $dependencies) . "'", $dsShell);
}
$dsShell = str_replace('<!-- CLASS EXTENDS -->', $extends, $dsShell);
$dsShell = str_replace('<!-- SOURCE -->', $source, $dsShell);
$dsShell = str_replace('<!-- SOURCE -->', addslashes($source), $dsShell);
}
if ($this->_context[0] == 'new') {
@@ -1474,19 +1490,19 @@ public function __formAction()
public static function injectFilters(&$shell, array $filters)
{
if (empty($filters)) {
if (!is_array($filters) || empty($filters)) {
return;
}
$placeholder = '<!-- FILTERS -->';
$string = 'public $dsParamFILTERS = array(' . PHP_EOL;
foreach ($filters as $key => $val) {
if (trim($val) == '') {
if (trim($val) == '' || !is_string($val)) {
continue;
}
$string .= " '$key' => '" . addslashes($val) . "'," . PHP_EOL;
$string .= " '" . addslashes($key) . "' => '" . addslashes($val) . "'," . PHP_EOL;
}
$string .= " );" . PHP_EOL . " " . $placeholder;
@@ -1496,12 +1512,16 @@ public static function injectFilters(&$shell, array $filters)
public static function injectAboutInformation(&$shell, array $details)
{
if (empty($details)) {
if (!is_array($details) || empty($details)) {
return;
}
foreach ($details as $key => $val) {
$shell = str_replace('<!-- ' . strtoupper($key) . ' -->', addslashes($val), $shell);
if (!is_string($key) || !is_string($val)) {
continue;
}
$shell = str_replace('<!-- ' . strtoupper(addslashes($key)) . ' -->', addslashes($val), $shell);
}
}
@@ -1510,7 +1530,7 @@ public function __injectIncludedElements(&$shell, $elements)
if (!is_array($elements) || empty($elements)) {
return;
}
$elements = array_map('addslashes', $elements);
$placeholder = '<!-- INCLUDED ELEMENTS -->';
$shell = str_replace($placeholder, "public \$dsParamINCLUDEDELEMENTS = array(" . PHP_EOL . " '" . implode("'," . PHP_EOL . " '", $elements) . "'" . PHP_EOL . ' );' . PHP_EOL . " " . $placeholder, $shell);
}
@@ -1524,11 +1544,15 @@ public function __injectVarList(&$shell, $vars)
$var_list = null;
foreach ($vars as $key => $val) {
if (!is_string($key)) {
continue;
}
if (is_array($val)) {
$val = array_map('addslashes', $val);
$val = "array(" . PHP_EOL . " '" . implode("'," . PHP_EOL . " '", $val) . "'" . PHP_EOL . ' );';
$var_list .= ' public $dsParam' . strtoupper($key) . ' = ' . $val . PHP_EOL;
$var_list .= ' public $dsParam' . strtoupper(addslashes($key)) . ' = ' . $val . PHP_EOL;
} elseif (trim($val) !== '') {
$var_list .= ' public $dsParam' . strtoupper($key) . " = '" . addslashes($val) . "';" . PHP_EOL;
$var_list .= ' public $dsParam' . strtoupper(addslashes($key)) . " = '" . addslashes($val) . "';" . PHP_EOL;
}
}
@@ -530,7 +530,7 @@ public function __formAction()
$eventShell = str_replace('<!-- ROOT ELEMENT -->', $rootelement, $eventShell);
$eventShell = str_replace('<!-- CLASS NAME -->', $classname, $eventShell);
$eventShell = str_replace('<!-- SOURCE -->', $source, $eventShell);
$eventShell = str_replace('<!-- SOURCE -->', addslashes($source), $eventShell);
// Remove left over placeholders
$eventShell = preg_replace(array('/<!--[\w ]++-->/'), '', $eventShell);
@@ -658,8 +658,8 @@ public function __injectFilters(&$shell, $elements)
if (!is_array($elements) || empty($elements)) {
return;
}
$shell = str_replace('<!-- FILTERS -->', "'" . implode("'," . PHP_EOL . "\t\t\t\t'", $elements) . "'", $shell);
$elements = array_map('addslashes', $elements);
$shell = str_replace('<!-- FILTERS -->', "'" . implode("'," . PHP_EOL . " '", $elements) . "'", $shell);
}
public function __injectAboutInformation(&$shell, $details)
@@ -669,7 +669,11 @@ public function __injectAboutInformation(&$shell, $details)
}
foreach ($details as $key => $val) {
$shell = str_replace('<!-- ' . strtoupper($key) . ' -->', addslashes($val), $shell);
if (!is_string($key) || !is_string($val)) {
continue;
}
$shell = str_replace('<!-- ' . strtoupper(addslashes($key)) . ' -->', addslashes($val), $shell);
}
}
}

0 comments on commit e30a18f

Please sign in to comment.
You can’t perform that action at this time.