From 1ca2719c7488662ebd7964c0d026e0890f923ee9 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sat, 11 Jun 2011 17:12:39 +0200
Subject: Only allow known protocols in RSS links

This fixes a security vulnerability where an attacker could introduce
JavaScript links into wiki pages by including a prepared RSS feed.
---
 inc/parser/xhtml.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'inc/parser')

diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 1041268b1..1af3a1ce1 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -40,6 +40,8 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
     var $_counter   = array(); // used as global counter, introduced for table classes
     var $_codeblock = 0; // counts the code and file blocks, used to provide download links
 
+    private $schemes = null; // protocol schemes
+
     /**
      * Register a new edit section range
      *
@@ -867,6 +869,14 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
                 $this->doc .= '<li><div class="li">';
                 // support feeds without links
                 $lnkurl = $item->get_permalink();
+                if($lnkurl){
+                    // lnkurl might be an attack vector, only allow registered protocols
+                    if(is_null($this->schemes)) $this->schemes = getSchemes();
+                    list($scheme) = explode('://',$lnkurl);
+                    $scheme = strtolower($scheme);
+                    if(!in_array($scheme,$this->schemes)) $lnkurl = '';
+                }
+
                 if($lnkurl){
                     // title is escaped by SimplePie, we unescape here because it
                     // is escaped again in externallink() FS#1705
-- 
cgit v1.2.3