diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2011-06-11 17:12:39 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2011-06-13 14:26:35 +0200 |
| commit | 1ca2719c7488662ebd7964c0d026e0890f923ee9 (patch) | |
| tree | 357c5ff92e79eaefbed0adb76f27b9b848124d15 /inc | |
| parent | 00162124b39c86b67dd3890ce992e568ed41cbee (diff) | |
| download | rpg-1ca2719c7488662ebd7964c0d026e0890f923ee9.tar.gz rpg-1ca2719c7488662ebd7964c0d026e0890f923ee9.tar.bz2 | |
Only allow known protocols in RSS links
This fixes a security vulnerability where an attacker could introduce
JavaScript links into wiki pages by including a prepared RSS feed.
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/parser/xhtml.php | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php index 1041268b1..1af3a1ce1 100644 --- a/inc/parser/xhtml.php +++ b/inc/parser/xhtml.php @@ -40,6 +40,8 @@ class Doku_Renderer_xhtml extends Doku_Renderer { var $_counter = array(); // used as global counter, introduced for table classes var $_codeblock = 0; // counts the code and file blocks, used to provide download links + private $schemes = null; // protocol schemes + /** * Register a new edit section range * @@ -868,6 +870,14 @@ class Doku_Renderer_xhtml extends Doku_Renderer { // support feeds without links $lnkurl = $item->get_permalink(); if($lnkurl){ + // lnkurl might be an attack vector, only allow registered protocols + if(is_null($this->schemes)) $this->schemes = getSchemes(); + list($scheme) = explode('://',$lnkurl); + $scheme = strtolower($scheme); + if(!in_array($scheme,$this->schemes)) $lnkurl = ''; + } + + if($lnkurl){ // title is escaped by SimplePie, we unescape here because it // is escaped again in externallink() FS#1705 $this->externallink($item->get_permalink(), |