From 1ca2719c7488662ebd7964c0d026e0890f923ee9 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 11 Jun 2011 17:12:39 +0200
Subject: Only allow known protocols in RSS links

This fixes a security vulnerability where an attacker could introduce
JavaScript links into wiki pages by including a prepared RSS feed.
---
 inc/parser/xhtml.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'inc/parser')

diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 1041268b1..1af3a1ce1 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -40,6 +40,8 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
     var $_counter   = array(); // used as global counter, introduced for table classes
     var $_codeblock = 0; // counts the code and file blocks, used to provide download links
 
+    private $schemes = null; // protocol schemes
+
     /**
      * Register a new edit section range
      *
@@ -867,6 +869,14 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
                 $this->doc .= '<li><div class="li">';
                 // support feeds without links
                 $lnkurl = $item->get_permalink();
+                if($lnkurl){
+                    // lnkurl might be an attack vector, only allow registered protocols
+                    if(is_null($this->schemes)) $this->schemes = getSchemes();
+                    list($scheme) = explode('://',$lnkurl);
+                    $scheme = strtolower($scheme);
+                    if(!in_array($scheme,$this->schemes)) $lnkurl = '';
+                }
+
                 if($lnkurl){
                     // title is escaped by SimplePie, we unescape here because it
                     // is escaped again in externallink() FS#1705
-- 
cgit v1.2.3


From b52b15965611fc865058c0331b55e4e9bccabd2e Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 14 Jun 2011 19:50:29 +0200
Subject: only allow configured URL schemes in external links

This fixes a problem where JavaScript could be introduced through
specially crafted RSS feeds on a lower level than the commit from
yesterday (1ca2719c7488662ebd7964c0d026e0890f923ee9)

This also fixes a problem where JavaScript links could be introduced by
specifying it as an RSS URL: the resulting error message displays a
link to the broken feed URL. This patch makes sure there's no working
link for unknown protocols.
---
 inc/parser/xhtml.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'inc/parser')

diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 1af3a1ce1..22dc58963 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -648,6 +648,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
 
         $name = $this->_getLinkTitle($name, $url, $isImage);
 
+        // url might be an attack vector, only allow registered protocols
+        if(is_null($this->schemes)) $this->schemes = getSchemes();
+        list($scheme) = explode('://',$url);
+        $scheme = strtolower($scheme);
+        if(!in_array($scheme,$this->schemes)) $url = '';
+
+        // is there still an URL?
+        if(!$url){
+            $this->doc .= $name;
+            return;
+        }
+
+        // set class
         if ( !$isImage ) {
             $class='urlextern';
         } else {
-- 
cgit v1.2.3


From 5a2f326fba4cd3f692b56807e5a169b54253fda9 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 14 Jun 2011 19:58:44 +0200
Subject: Revert "Only allow known protocols in RSS links"

This reverts commit 1ca2719c7488662ebd7964c0d026e0890f923ee9 as it is
now superseeded by a6b82e436e3d68a42a6556165d6aaf9249db44cd
---
 inc/parser/xhtml.php | 10 ----------
 1 file changed, 10 deletions(-)

(limited to 'inc/parser')

diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 22dc58963..83359cd55 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -40,8 +40,6 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
     var $_counter   = array(); // used as global counter, introduced for table classes
     var $_codeblock = 0; // counts the code and file blocks, used to provide download links
 
-    private $schemes = null; // protocol schemes
-
     /**
      * Register a new edit section range
      *
@@ -882,14 +880,6 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
                 $this->doc .= '<li><div class="li">';
                 // support feeds without links
                 $lnkurl = $item->get_permalink();
-                if($lnkurl){
-                    // lnkurl might be an attack vector, only allow registered protocols
-                    if(is_null($this->schemes)) $this->schemes = getSchemes();
-                    list($scheme) = explode('://',$lnkurl);
-                    $scheme = strtolower($scheme);
-                    if(!in_array($scheme,$this->schemes)) $lnkurl = '';
-                }
-
                 if($lnkurl){
                     // title is escaped by SimplePie, we unescape here because it
                     // is escaped again in externallink() FS#1705
-- 
cgit v1.2.3