From 1ca2719c7488662ebd7964c0d026e0890f923ee9 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 11 Jun 2011 17:12:39 +0200
Subject: Only allow known protocols in RSS links
This fixes a security vulnerability where an attacker could introduce
JavaScript links into wiki pages by including a prepared RSS feed.
---
inc/parser/xhtml.php | 10 ++++++++++
1 file changed, 10 insertions(+)
(limited to 'inc/parser')
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 1041268b1..1af3a1ce1 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -40,6 +40,8 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
var $_counter = array(); // used as global counter, introduced for table classes
var $_codeblock = 0; // counts the code and file blocks, used to provide download links
+ private $schemes = null; // protocol schemes
+
/**
* Register a new edit section range
*
@@ -867,6 +869,14 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
$this->doc .= '<li><div class="li">';
// support feeds without links
$lnkurl = $item->get_permalink();
+ if($lnkurl){
+ // lnkurl might be an attack vector, only allow registered protocols
+ if(is_null($this->schemes)) $this->schemes = getSchemes();
+ list($scheme) = explode('://',$lnkurl);
+ $scheme = strtolower($scheme);
+ if(!in_array($scheme,$this->schemes)) $lnkurl = '';
+ }
+
if($lnkurl){
// title is escaped by SimplePie, we unescape here because it
// is escaped again in externallink() FS#1705
--
cgit v1.2.3
From b52b15965611fc865058c0331b55e4e9bccabd2e Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 14 Jun 2011 19:50:29 +0200
Subject: only allow configured URL schemes in external links
This fixes a problem where JavaScript could be introduced through
specially crafted RSS feeds on a lower level than the commit from
yesterday (1ca2719c7488662ebd7964c0d026e0890f923ee9)
This also fixes a problem where JavaScript links could be introduced by
specifying it as an RSS URL: the resulting error message displays a
link to the broken feed URL. This patch makes sure there's no working
link for unknown protocols.
---
inc/parser/xhtml.php | 13 +++++++++++++
1 file changed, 13 insertions(+)
(limited to 'inc/parser')
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 1af3a1ce1..22dc58963 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -648,6 +648,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
$name = $this->_getLinkTitle($name, $url, $isImage);
+ // url might be an attack vector, only allow registered protocols
+ if(is_null($this->schemes)) $this->schemes = getSchemes();
+ list($scheme) = explode('://',$url);
+ $scheme = strtolower($scheme);
+ if(!in_array($scheme,$this->schemes)) $url = '';
+
+ // is there still an URL?
+ if(!$url){
+ $this->doc .= $name;
+ return;
+ }
+
+ // set class
if ( !$isImage ) {
$class='urlextern';
} else {
--
cgit v1.2.3
From 5a2f326fba4cd3f692b56807e5a169b54253fda9 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 14 Jun 2011 19:58:44 +0200
Subject: Revert "Only allow known protocols in RSS links"
This reverts commit 1ca2719c7488662ebd7964c0d026e0890f923ee9 as it is
now superseeded by a6b82e436e3d68a42a6556165d6aaf9249db44cd
---
inc/parser/xhtml.php | 10 ----------
1 file changed, 10 deletions(-)
(limited to 'inc/parser')
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 22dc58963..83359cd55 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -40,8 +40,6 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
var $_counter = array(); // used as global counter, introduced for table classes
var $_codeblock = 0; // counts the code and file blocks, used to provide download links
- private $schemes = null; // protocol schemes
-
/**
* Register a new edit section range
*
@@ -882,14 +880,6 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
$this->doc .= '<li><div class="li">';
// support feeds without links
$lnkurl = $item->get_permalink();
- if($lnkurl){
- // lnkurl might be an attack vector, only allow registered protocols
- if(is_null($this->schemes)) $this->schemes = getSchemes();
- list($scheme) = explode('://',$lnkurl);
- $scheme = strtolower($scheme);
- if(!in_array($scheme,$this->schemes)) $lnkurl = '';
- }
-
if($lnkurl){
// title is escaped by SimplePie, we unescape here because it
// is escaped again in externallink() FS#1705
--
cgit v1.2.3
From 4a24b45986919be03b551e34be6931eb88a37ec0 Mon Sep 17 00:00:00 2001
From: Kate Arzamastseva <pshns@ukr.net>
Date: Fri, 2 Sep 2011 14:52:25 +0300
Subject: issue #46 Render links to missing media files as link to the media
manager
---
inc/parser/xhtml.php | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
(limited to 'inc/parser')
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 83359cd55..ea1756803 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -805,8 +805,10 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
if($hash) $link['url'] .= '#'.$hash;
//markup non existing files
- if (!$exists)
- $link['class'] .= ' wikilink2';
+ if (!$exists) {
+ $link['class'] .= ' wikilink2';
+ $link['url'] = media_managerURL(array('tab_details' => 'view', 'image' => $src, 'ns' => getNS($src)), '&');
+ }
//output formatted
if ($linking == 'nolink' || $noLink) $this->doc .= $link['name'];
--
cgit v1.2.3
From 46213daa86e91437d10a0bc603399f4d999b04ca Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 11:23:20 +0200
Subject: cleanup of handler.php
The file contained a few DOS lineendings and trailing spaces
---
inc/parser/handler.php | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
(limited to 'inc/parser')
diff --git a/inc/parser/handler.php b/inc/parser/handler.php
index 22a50d1b7..0e54425f7 100644
--- a/inc/parser/handler.php
+++ b/inc/parser/handler.php
@@ -1489,10 +1489,10 @@ class Doku_Handler_Block {
}
}
- function openParagraph($pos){
+ function openParagraph($pos){
if ($this->inParagraph) return;
$this->calls[] = array('p_open',array(), $pos);
- $this->inParagraph = true;
+ $this->inParagraph = true;
$this->skipEol = true;
}
@@ -1503,7 +1503,7 @@ class Doku_Handler_Block {
*
* @author Andreas Gohr <andi@splitbrain.org>
*/
- function closeParagraph($pos){
+ function closeParagraph($pos){
if (!$this->inParagraph) return;
// look back if there was any content - we don't want empty paragraphs
$content = '';
@@ -1521,17 +1521,17 @@ class Doku_Handler_Block {
if(trim($content)==''){
//remove the whole paragraph
array_splice($this->calls,$i);
- }else{
- // remove ending linebreaks in the paragraph
- $i=count($this->calls)-1;
+ }else{
+ // remove ending linebreaks in the paragraph
+ $i=count($this->calls)-1;
if ($this->calls[$i][0] == 'cdata') $this->calls[$i][1][0] = rtrim($this->calls[$i][1][0],DOKU_PARSER_EOL);
$this->calls[] = array('p_close',array(), $pos);
}
- $this->inParagraph = false;
+ $this->inParagraph = false;
$this->skipEol = true;
}
-
+
function addCall($call) {
$key = count($this->calls);
if ($key and ($call[0] == 'cdata') and ($this->calls[$key-1][0] == 'cdata')) {
@@ -1553,7 +1553,7 @@ class Doku_Handler_Block {
* @author Andreas Gohr <andi@splitbrain.org>
*/
function process($calls) {
- // open first paragraph
+ // open first paragraph
$this->openParagraph(0);
foreach ( $calls as $key => $call ) {
$cname = $call[0];
--
cgit v1.2.3
From a86cc527f2653a972a7416116630b5be5c3e380c Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 11:24:19 +0200
Subject: Fix performance issue in close_paragraph
Looks like a for loop is faster than array_splice
---
inc/parser/handler.php | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
(limited to 'inc/parser')
diff --git a/inc/parser/handler.php b/inc/parser/handler.php
index 0e54425f7..24d880e2d 100644
--- a/inc/parser/handler.php
+++ b/inc/parser/handler.php
@@ -1520,7 +1520,8 @@ class Doku_Handler_Block {
if(trim($content)==''){
//remove the whole paragraph
- array_splice($this->calls,$i);
+ //array_splice($this->calls,$i); // <- this is much slower than the loop below
+ for($x=$ccount-1; $x>=$i; $x--) unset($this->calls[$x]);
}else{
// remove ending linebreaks in the paragraph
$i=count($this->calls)-1;
--
cgit v1.2.3
From faba9a3522d0d79f3d6172e15804bc23c1215ddf Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 11:32:17 +0200
Subject: added the missing bit to my last commit
---
inc/parser/handler.php | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
(limited to 'inc/parser')
diff --git a/inc/parser/handler.php b/inc/parser/handler.php
index 24d880e2d..6754d2560 100644
--- a/inc/parser/handler.php
+++ b/inc/parser/handler.php
@@ -1507,7 +1507,8 @@ class Doku_Handler_Block {
if (!$this->inParagraph) return;
// look back if there was any content - we don't want empty paragraphs
$content = '';
- for($i=count($this->calls)-1; $i>=0; $i--){
+ $ccount = count($this->calls);
+ for($i=$ccount-1; $i>=0; $i--){
if($this->calls[$i][0] == 'p_open'){
break;
}elseif($this->calls[$i][0] == 'cdata'){
--
cgit v1.2.3
From a284275484f42c92beaac76c05a80e66d3ab3026 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 13:16:37 +0200
Subject: fix off-by-one error
---
inc/parser/handler.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'inc/parser')
diff --git a/inc/parser/handler.php b/inc/parser/handler.php
index 6754d2560..fd4304ba5 100644
--- a/inc/parser/handler.php
+++ b/inc/parser/handler.php
@@ -1522,7 +1522,7 @@ class Doku_Handler_Block {
if(trim($content)==''){
//remove the whole paragraph
//array_splice($this->calls,$i); // <- this is much slower than the loop below
- for($x=$ccount-1; $x>=$i; $x--) unset($this->calls[$x]);
+ for($x=$ccount-1; $x>$i; $x--) unset($this->calls[$x]);
}else{
// remove ending linebreaks in the paragraph
$i=count($this->calls)-1;
--
cgit v1.2.3
From d8f7a7f328a68b48d9ef5c0987b6a4915d43735e Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 15 Oct 2011 14:24:20 +0200
Subject: replace unset with array_pop
unset does not reset the Array's internal pointer which messes up later
calls. array_pop is still much faster than array_splice
---
inc/parser/handler.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
(limited to 'inc/parser')
diff --git a/inc/parser/handler.php b/inc/parser/handler.php
index fd4304ba5..55b715ad9 100644
--- a/inc/parser/handler.php
+++ b/inc/parser/handler.php
@@ -1522,7 +1522,7 @@ class Doku_Handler_Block {
if(trim($content)==''){
//remove the whole paragraph
//array_splice($this->calls,$i); // <- this is much slower than the loop below
- for($x=$ccount-1; $x>$i; $x--) unset($this->calls[$x]);
+ for($x=$ccount; $x>$i; $x--) array_pop($this->calls);
}else{
// remove ending linebreaks in the paragraph
$i=count($this->calls)-1;
--
cgit v1.2.3