diff options
| -rw-r--r-- | conf/dokuwiki.php | 1 | ||||
| -rw-r--r-- | inc/lang/en/lang.php | 3 | ||||
| -rw-r--r-- | inc/media.php | 19 | ||||
| -rw-r--r-- | lib/plugins/config/lang/en/lang.php | 1 | ||||
| -rw-r--r-- | lib/plugins/config/settings/config.metadata.php | 1 |
5 files changed, 21 insertions, 4 deletions
diff --git a/conf/dokuwiki.php b/conf/dokuwiki.php index 66a2171b3..d442f0e93 100644 --- a/conf/dokuwiki.php +++ b/conf/dokuwiki.php @@ -54,6 +54,7 @@ $conf['mailguard'] = 'hex'; //obfuscate email addresses against sp // 'visible' - replace @ with [at], . with [dot] and - with [dash] // 'hex' - use hex entities to encode the mail address // 'none' - do not obfuscate addresses +$conf['iexssprotect']= 1; // check for JavaScript and HTML in uploaded files 0|1 /* Authentication Options - read http://www.splitbrain.org/dokuwiki/wiki:acl */ diff --git a/inc/lang/en/lang.php b/inc/lang/en/lang.php index aa0aad6e0..23f17c52c 100644 --- a/inc/lang/en/lang.php +++ b/inc/lang/en/lang.php @@ -104,7 +104,8 @@ $lang['uploadfail'] = 'Upload failed. Maybe wrong permissions?'; $lang['uploadwrong'] = 'Upload denied. This file extension is forbidden!'; $lang['uploadexist'] = 'File already exists. Nothing done.'; $lang['uploadbadcontent'] = 'The uploaded content did not match the %s file extension.'; -$lang['uploadspam'] = 'The upload was blocked by the spam blacklist'; +$lang['uploadspam'] = 'The upload was blocked by the spam blacklist.'; +$lang['uploadxss'] = 'The upload was blocked for possibly malicious content.'; $lang['deletesucc'] = 'The file "%s" has been deleted.'; $lang['deletefail'] = '"%s" couldn\'t be deleted - check permissions.'; $lang['mediainuse'] = 'The file "%s" hasn\'t been deleted - it is still in use.'; diff --git a/inc/media.php b/inc/media.php index 052e9a54a..8cf2bba81 100644 --- a/inc/media.php +++ b/inc/media.php @@ -226,6 +226,9 @@ function media_upload($ns,$auth){ }elseif($ok == -2){ msg($lang['uploadspam'],-1); return false; + }elseif($ok == -3){ + msg($lang['uploadxss'],-1); + return false; } // prepare directory @@ -249,16 +252,27 @@ function media_upload($ns,$auth){ /** * This function checks if the uploaded content is really what the - * mimetype says it is. We also do spam checking for text types here + * mimetype says it is. We also do spam checking for text types here. * * We need to do this stuff because we can not rely on the browser * to do this check correctly. Yes, IE is broken as usual. * * @author Andreas Gohr <andi@splitbrain.org> - * @link http://weblog.philringnalda.com/2004/04/06/getting-around-ies-mime-type-mangling + * @link http://www.splitbrain.org/blog/2007-02/12-internet_explorer_facilitates_cross_site_scripting * @fixme check all 26 magic IE filetypes here? */ function media_contentcheck($file,$mime){ + global $conf; + if($conf['iexssprotect']){ + $fh = @fopen($file, 'rb'); + if($fh){ + $bytes = fread($fh, 256); + fclose($fh); + if(preg_match('/<(script|a|img|html|body|iframe)[\s>]/i',$bytes)){ + return -3; + } + } + } if(substr($mime,0,6) == 'image/'){ $info = @getimagesize($file); if($mime == 'image/gif' && $info[2] != 1){ @@ -273,7 +287,6 @@ function media_contentcheck($file,$mime){ global $TEXT; $TEXT = io_readFile($file); if(checkwordblock()){ - msg('Content seems to be spam',-1); return -2; } } diff --git a/lib/plugins/config/lang/en/lang.php b/lib/plugins/config/lang/en/lang.php index 9f3df88bb..825f5cf85 100644 --- a/lib/plugins/config/lang/en/lang.php +++ b/lib/plugins/config/lang/en/lang.php @@ -80,6 +80,7 @@ $lang['usewordblock']= 'Block spam based on wordlist'; $lang['indexdelay'] = 'Time delay before indexing (sec)'; $lang['relnofollow'] = 'Use rel="nofollow" on external links'; $lang['mailguard'] = 'Obfuscate email addresses'; +$lang['iexssprotect']= 'Check uploaded files for possibly malicious JavaScript or HTML code'; /* Authentication Options */ $lang['useacl'] = 'Use access control lists'; diff --git a/lib/plugins/config/settings/config.metadata.php b/lib/plugins/config/settings/config.metadata.php index d1456b3e9..ee8db882f 100644 --- a/lib/plugins/config/settings/config.metadata.php +++ b/lib/plugins/config/settings/config.metadata.php @@ -122,6 +122,7 @@ $meta['usewordblock']= array('onoff'); $meta['relnofollow'] = array('onoff'); $meta['indexdelay'] = array('numeric'); $meta['mailguard'] = array('multichoice','_choices' => array('visible','hex','none')); +$meta['iexssprotect']= array('onoff'); $meta['_editing'] = array('fieldset'); $meta['usedraft'] = array('onoff'); |