[#] 升级 UEditor 到1.4.3.3(20160526版本)

[#] 修复 XSS [^] 内网采集可配置
xbzbing · Jun 6, 2016 · 13f44d5 · 13f44d5
1 parent b60c395
commit 13f44d5
Show file tree

Hide file tree

Showing 13 changed files with 889 additions and 632 deletions.
diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ Yii2的百度UEditor扩展
 扩展特点：
 
 1. 支持多实例
-2. 支持缩略图（默认开启 `200x200`）
+2. 支持缩略图（默认关闭）
 3. 支持缩放（默认关闭）
 4. 支持水印（默认关闭）
 5. 图片管理加载优化
@@ -162,6 +162,8 @@ class EditorController extends crazydb\ueditor\UEditorController
 
 编辑器内默认情况下行高为1，大段中文编辑显示效果非常差，但是可以通过设置 `iframeCssUrl` 来修改编辑器内显示效果。
 
+默认不支持内网 IP 图片远程采集，如果部署在内网且需要这个功能,请配置`UEditorController::allowIntranet`为`true`。
+
 
 相关链接
 -----

diff --git a/UEditorController.php b/UEditorController.php
@@ -61,6 +61,14 @@ class UEditorController extends Controller
      */
     public $watermark = [];
 
+    /**
+     * 是否允许内网采集
+     * 如果为 false 则远程图片获取不获取内网图片，防止 SSRF。
+     * 默认为 false
+     * @var bool
+     */
+    public $allowIntranet = false;
+
     /**
      * 默认 action
      * @var string
@@ -107,7 +115,7 @@ public function init()
         ];
         $this->config = $this->config + $default + $CONFIG;
         $this->webroot = Yii::getAlias('@webroot');
-        if(!is_array($this->thumbnail))
+        if (!is_array($this->thumbnail))
             $this->thumbnail = false;
     }
 
@@ -275,6 +283,10 @@ public function actionCatchImage()
     protected function upload($fieldName, $config, $base64 = 'upload')
     {
         $up = new Uploader($fieldName, $config, $base64);
+
+        if ($this->allowIntranet)
+            $up->setAllowIntranet(true);
+
         $info = $up->getFileInfo();
         if ($this->thumbnail && $info['state'] == 'SUCCESS' && in_array($info['type'], ['.png', '.jpg', '.bmp', '.gif'])) {
             $info['thumbnail'] = Yii::$app->request->baseUrl . $this->imageHandle($info['url']);

diff --git a/Uploader.php b/Uploader.php
@@ -20,6 +20,7 @@
  */
 class Uploader
 {
+    private $allowIntranet = false;
     private $fileField; //文件域名
     private $file; //文件上传对象
     private $config; //配置信息
@@ -67,13 +68,22 @@ public function __construct($fileField, $config, $type = "upload")
         $this->type = $type;
         if ($type == "remote") {
             $this->saveRemote();
-        } else if($type == "base64") {
+        } else if ($type == "base64") {
             $this->upBase64();
         } else {
             $this->upFile();
         }
     }
 
+    /**
+     * 设置是否允许获取内网图片
+     * @param boolean $allow
+     */
+    public function setAllowIntranet($allow)
+    {
+        $this->allowIntranet = $allow ? true : false;
+    }
+
     /**
      * 上传文件的主处理方法
      * @return mixed
@@ -189,7 +199,7 @@ private function saveRemote()
             return;
         }
 
-        preg_match('/(^https*:\/\/[^:\/]+)/', $imgUrl, $matches);
+        preg_match('/(^https?:\/\/[^:\/]+)/', $imgUrl, $matches);
         $host_with_protocol = count($matches) > 1 ? $matches[1] : '';
 
         // 判断是否是合法 url
@@ -198,13 +208,14 @@ private function saveRemote()
             return;
         }
 
-        preg_match('/^https*:\/\/(.+)/', $host_with_protocol, $matches);
+        preg_match('/^https?:\/\/(.+)/', $host_with_protocol, $matches);
         $host_without_protocol = count($matches) > 1 ? $matches[1] : '';
 
-        // 此时提取出来的可能是 ip 也有可能是域名，先获取 ip
+        // 此时提取出来的可能是 IP 也有可能是域名，先获取 IP
         $ip = gethostbyname($host_without_protocol);
-        // 判断是否是私有 ip
-        if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE)) {
+
+        // 判断是否允许私有 IP
+        if (!$this->allowIntranet && !filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE)) {
             $this->stateInfo = $this->getStateInfo("INVALID_IP");
             return;
         }
@@ -225,16 +236,18 @@ private function saveRemote()
         //打开输出缓冲区并获取远程图片
         ob_start();
         $context = stream_context_create(
-            array('http' => array(
-                'follow_location' => false // don't follow redirects
-            ))
+            [
+                'http' => [
+                    'follow_location' => false // don't follow redirects
+                ]
+            ]
         );
         readfile($imgUrl, false, $context);
         $img = ob_get_contents();
         ob_end_clean();
         preg_match("/[\/]([^\/]*)[\.]?[^\.\/]*$/", $imgUrl, $m);
 
-        $this->oriName = $m ? $m[1]:"";
+        $this->oriName = $m ? $m[1] : "";
 
         $this->fileSize = strlen($img);
         $this->fileType = $this->getFileExt();
@@ -325,7 +338,8 @@ private function getFullName()
      * 获取文件名
      * @return string
      */
-    private function getFileName () {
+    private function getFileName()
+    {
         return substr($this->filePath, strrpos($this->filePath, '/') + 1);
     }
 

diff --git a/assets/dialogs/image/image.js b/assets/dialogs/image/image.js
@@ -247,14 +247,17 @@
         },
         setPreview: function(){
             var url = $G('url').value,
-                ow = $G('width').value,
-                oh = $G('height').value,
-                border = $G('border').value,
+                ow = parseInt($G('width').value, 10) || 0,
+                oh = parseInt($G('height').value, 10) || 0,
+                border = parseInt($G('border').value, 10) || 0,
                 title = $G('title').value,
                 preview = $G('preview'),
                 width,
                 height;
 
+            url = utils.unhtmlForUrl(url);
+            title = utils.unhtml(title);
+
             width = ((!ow || !oh) ? preview.offsetWidth:Math.min(ow, preview.offsetWidth));
             width = width+(border*2) > preview.offsetWidth ? width:(preview.offsetWidth - (border*2));
             height = (!ow || !oh) ? '':width*oh/ow;

diff --git a/assets/dialogs/video/video.js b/assets/dialogs/video/video.js
@@ -270,6 +270,8 @@
 
         var conUrl = convert_url(url);
 
+        conUrl = utils.unhtmlForUrl(conUrl);
+
         $G("preview").innerHTML = '<div class="previewMsg"><span>'+lang.urlError+'</span></div>'+
         '<embed class="previewVideo" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer"' +
             ' src="' + conUrl + '"' +
@@ -284,8 +286,8 @@
     function insertUpload(){
         var videoObjs=[],
             uploadDir = editor.getOpt('videoUrlPrefix'),
-            width = $G('upload_width').value || 420,
-            height = $G('upload_height').value || 280,
+            width = parseInt($G('upload_width').value, 10) || 420,
+            height = parseInt($G('upload_height').value, 10) || 280,
             align = findFocus("upload_alignment","name") || 'none';
         for(var key in uploadVideoList) {
             var file = uploadVideoList[key];
@@ -786,4 +788,4 @@
         }
     };
 
-})();
+})();
diff --git a/assets/themes/default/css/ueditor.min.css b/assets/themes/default/css/ueditor.min.css
diff --git a/assets/third-party/video-js/video-js.swf b/assets/third-party/video-js/video-js.swf
diff --git a/assets/third-party/xss.min.js b/assets/third-party/xss.min.js