Changeset 1608f43 in github


Ignore:
Timestamp:
Dec 24, 2008 9:19:27 AM (4 years ago)
Author:
thomascube <thomas@…>
Branches:
master, HEAD, courier-fix, dev-browser-capabilities, pdo, release-0.6, release-0.7, release-0.8
Children:
230f944
Parents:
4e0419b
Message:

Secure bin scripts by requiring a valid session and replace preg_replace(/../e) with preg_replace_callback

Files:
4 edited

Legend:

Unmodified
Added
Removed

  • bin/html2text.php

    r300fc65 r1608f43  
    2121 
    2222define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/'); 
    23 require INSTALL_PATH.'program/include/iniset.php'; 
     23require INSTALL_PATH . 'program/include/iniset.php'; 
    2424 
    25 $converter = new html2text($HTTP_RAW_POST_DATA); 
     25$RCMAIL = rcmail::get_instance(); 
    2626 
    27 header('Content-Type: text/plain; charset=UTF-8'); 
    28 print trim($converter->get_text()); 
     27if (!empty($RCMAIL->user->ID)) { 
     28  $converter = new html2text($HTTP_RAW_POST_DATA); 
     29 
     30  header('Content-Type: text/plain; charset=UTF-8'); 
     31  print trim($converter->get_text()); 
     32} 
     33else { 
     34  header("HTTP/1.0 403 Forbidden"); 
     35  echo "Requires a valid user session"; 
     36} 
    2937 
    3038?> 

  • bin/modcss.php

    rb685e9e r1608f43  
    2121 
    2222define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/'); 
    23 require INSTALL_PATH.'program/include/iniset.php'; 
     23require INSTALL_PATH . 'program/include/iniset.php'; 
     24 
     25$RCMAIL = rcmail::get_instance(); 
    2426 
    2527$source = ""; 
    26 if ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u'])) 
     28if (!empty($RCMAIL->user->ID) && ($url = preg_replace('/[^a-z0-9.-_\?\$&=%]/i', '', $_GET['u']))) 
    2729{ 
    2830        $a_uri = parse_url($url); 
     
    6062        echo rcmail_mod_css_styles($source, preg_replace('/[^a-z0-9]/i', '', $_GET['c']), $url); 
    6163} 
    62 else 
     64else { 
    6365        header("HTTP/1.0 404 Not Found"); 
     66        echo "Requires a valid user session and source url"; 
     67} 
    6468 
    6569?> 

  • bin/quotaimg.php

    rfe3e678 r1608f43  
    1818 
    1919*/ 
     20 
     21define('INSTALL_PATH', realpath(dirname(__FILE__).'/..') . '/'); 
     22require INSTALL_PATH . 'program/include/iniset.php'; 
     23 
     24$RCMAIL = rcmail::get_instance(); 
    2025 
    2126$used   = isset($_GET['u']) ? intval($_GET['u']) : '??'; 
     
    187192} 
    188193 
    189 if ($width > 1 && $height > 1) { 
    190         genQuota($used, $quota, $width, $height);   
     194if (!empty($RCMAIL->user->ID) && $width > 1 && $height > 1) { 
     195        genQuota($used, $quota, $width, $height); 
    191196} 
    192197else { 
    193         header("HTTP/1.0 404 Not Found"); 
     198        header("HTTP/1.0 403 Forbidden"); 
     199        echo "Requires a valid user session and positive values"; 
    194200} 
    195201 

  • program/include/main.inc

    r77e2322 r1608f43  
    613613      '/(^\s*<!--)|(-->\s*$)/', 
    614614      '/(^\s*|,\s*|\}\s*)([a-z0-9\._#][a-z0-9\.\-_]*)/im', 
    615       '/@import\s+(url\()?[\'"]?([^\)\'"]+)[\'"]?(\))?/ime', 
    616       '/<<str_replacement\[([0-9]+)\]>>/e', 
    617       "/$container_id\s+body/i" 
     615      "/$container_id\s+body/i", 
    618616    ), 
    619617    array( 
    620618      '', 
    621619      "\\1#$container_id \\2", 
    622       "sprintf(\"@import url('./bin/modcss.php?u=%s&c=%s')\", urlencode(make_absolute_url('\\2','$base_url')), urlencode($container_id))", 
    623       "\$a_css_values[\\1]", 
    624       "$container_id div.rcmBody" 
     620      "$container_id div.rcmBody", 
    625621    ), 
    626622    $source); 
     623   
     624  // replace all @import statements to modify the imported CSS sources too 
     625  $styles = preg_replace_callback( 
     626    '/@import\s+(url\()?[\'"]?([^\)\'"]+)[\'"]?(\))?/im', 
     627    create_function('$matches', "return sprintf(\"@import url('./bin/modcss.php?u=%s&c=%s')\", urlencode(make_absolute_url(\$matches[2],'$base_url')), urlencode('$container_id'));"), 
     628    $styles); 
     629   
     630  // put block contents back in 
     631  $styles = preg_replace_callback( 
     632    '/<<str_replacement\[([0-9]+)\]>>/', 
     633    create_function('$matches', "\$values = ".var_export($a_css_values, true)."; return \$values[\$matches[1]];"), 
     634    $styles); 
    627635 
    628636  return $styles; 
     
    640648{ 
    641649  $out = html_entity_decode(html_entity_decode($content)); 
    642   $out = preg_replace('/\\\([0-9a-f]{4})/ie', "chr(hexdec('\\1'))", $out); 
     650  $out = preg_replace_callback('/\\\([0-9a-f]{4})/i', create_function('$matches', 'return chr(hexdec($matches[1]));'), $out); 
    643651  $out = preg_replace('#/\*.*\*/#Um', '', $out); 
    644652  return $out; 
Note: See TracChangeset for help on using the changeset viewer.