Fix several vulnerabilities (#13927)

* Escape HTML in the location field of a calendar event post

- This allowed script tags to be interpreted in the post display of an event.

* Add form security token check to /admin/phpinfo module

- This prevents basic XSS attacks against /admin/phpinfo

* Add form security token check to /babel module

- This prevents basic XSS attacks against /babel

* Prevent pass-through for attachments

- This addresses a straightforward Reflected XSS vulnerability if a malicious HTML/Javascript file is attached to a post through upload

* Prevent overwriting cid on event edit

- This allowed to share an event as any other user after zeroing the cid field of an existing event
pull/13931/head
Hypolite Petovan 2024-02-22 00:53:52 -05:00 committed by GitHub
parent fc3898fe64
commit 5c5d7eb04f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 26 additions and 27 deletions

View File

@ -925,9 +925,6 @@ class Event
$end_short = ''; $end_short = '';
} }
// Format the event location.
$location = self::locationToArray($item['event-location']);
// Construct the profile link (magic-auth). // Construct the profile link (magic-auth).
$author = [ $author = [
'uid' => 0, 'uid' => 0,
@ -964,7 +961,7 @@ class Event
'$show_map_label' => DI::l10n()->t('Show map'), '$show_map_label' => DI::l10n()->t('Show map'),
'$hide_map_label' => DI::l10n()->t('Hide map'), '$hide_map_label' => DI::l10n()->t('Hide map'),
'$map_btn_label' => DI::l10n()->t('Show map'), '$map_btn_label' => DI::l10n()->t('Show map'),
'$location' => $location '$location' => self::locationToTemplateVars($item['event-location']),
]); ]);
return $return; return $return;
@ -984,7 +981,7 @@ class Event
* 'coordinates' => Latitude and longitude (e.g. '48.864716,2.349014').<br> * 'coordinates' => Latitude and longitude (e.g. '48.864716,2.349014').<br>
* @throws \Friendica\Network\HTTPException\InternalServerErrorException * @throws \Friendica\Network\HTTPException\InternalServerErrorException
*/ */
private static function locationToArray(string $s = ''): array private static function locationToTemplateVars(string $s = ''): array
{ {
if ($s == '') { if ($s == '') {
return []; return [];

View File

@ -30,6 +30,8 @@ class PhpInfo extends BaseAdmin
{ {
self::checkAdminAccess(); self::checkAdminAccess();
self::checkFormSecurityTokenForbiddenOnError('phpinfo', 't');
phpinfo(); phpinfo();
System::exit(); System::exit();
} }

View File

@ -65,11 +65,7 @@ class Attach extends BaseModule
// error in Chrome for filenames with commas in them // error in Chrome for filenames with commas in them
header('Content-type: ' . $item['filetype']); header('Content-type: ' . $item['filetype']);
header('Content-length: ' . $item['filesize']); header('Content-length: ' . $item['filesize']);
if (isset($_GET['attachment']) && $_GET['attachment'] === '0') { header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
header('Content-disposition: filename="' . $item['filename'] . '"');
} else {
header('Content-disposition: attachment; filename="' . $item['filename'] . '"');
}
echo $data; echo $data;
System::exit(); System::exit();

View File

@ -104,7 +104,7 @@ abstract class BaseAdmin extends BaseModule
'logsview' => ['admin/logs/view' , DI::l10n()->t('View Logs') , 'viewlogs'], 'logsview' => ['admin/logs/view' , DI::l10n()->t('View Logs') , 'viewlogs'],
]], ]],
'diagnostics' => [DI::l10n()->t('Diagnostics'), [ 'diagnostics' => [DI::l10n()->t('Diagnostics'), [
'phpinfo' => ['admin/phpinfo' , DI::l10n()->t('PHP Info') , 'phpinfo'], 'phpinfo' => ['admin/phpinfo?t=' . self::getFormSecurityToken('phpinfo'), DI::l10n()->t('PHP Info') , 'phpinfo'],
'probe' => ['probe' , DI::l10n()->t('probe address') , 'probe'], 'probe' => ['probe' , DI::l10n()->t('probe address') , 'probe'],
'webfinger' => ['webfinger' , DI::l10n()->t('check webfinger') , 'webfinger'], 'webfinger' => ['webfinger' , DI::l10n()->t('check webfinger') , 'webfinger'],
'babel' => ['babel' , DI::l10n()->t('Babel') , 'babel'], 'babel' => ['babel' , DI::l10n()->t('Babel') , 'babel'],

View File

@ -142,7 +142,8 @@ class API extends BaseModule
{ {
$eventId = !empty($request['event_id']) ? intval($request['event_id']) : 0; $eventId = !empty($request['event_id']) ? intval($request['event_id']) : 0;
$uid = (int)$this->session->getLocalUserId(); $uid = (int)$this->session->getLocalUserId();
$cid = !empty($request['cid']) ? intval($request['cid']) : 0; // No overwriting event.cid on edit
$cid = !empty($request['cid']) && !$eventId ? intval($request['cid']) : 0;
$strStartDateTime = Strings::escapeHtml($request['start_text'] ?? ''); $strStartDateTime = Strings::escapeHtml($request['start_text'] ?? '');
$strFinishDateTime = Strings::escapeHtml($request['finish_text'] ?? ''); $strFinishDateTime = Strings::escapeHtml($request['finish_text'] ?? '');

View File

@ -43,10 +43,11 @@ class Babel extends BaseModule
} }
$results = []; $results = [];
if (!empty($_REQUEST['text'])) { if (!empty($request['text'])) {
switch (($_REQUEST['type'] ?? '') ?: 'bbcode') { self::checkFormSecurityTokenForbiddenOnError('babel');
switch (($request['type'] ?? '') ?: 'bbcode') {
case 'bbcode': case 'bbcode':
$bbcode = $_REQUEST['text']; $bbcode = $request['text'];
$results[] = [ $results[] = [
'title' => DI::l10n()->t('Source input'), 'title' => DI::l10n()->t('Source input'),
'content' => visible_whitespace($bbcode) 'content' => visible_whitespace($bbcode)
@ -136,7 +137,7 @@ class Babel extends BaseModule
]; ];
break; break;
case 'diaspora': case 'diaspora':
$diaspora = trim($_REQUEST['text']); $diaspora = trim($request['text']);
$results[] = [ $results[] = [
'title' => DI::l10n()->t('Source input (Diaspora format)'), 'title' => DI::l10n()->t('Source input (Diaspora format)'),
'content' => visible_whitespace($diaspora), 'content' => visible_whitespace($diaspora),
@ -144,7 +145,7 @@ class Babel extends BaseModule
$markdown = XML::unescape($diaspora); $markdown = XML::unescape($diaspora);
case 'markdown': case 'markdown':
$markdown = $markdown ?? trim($_REQUEST['text']); $markdown = $markdown ?? trim($request['text']);
$results[] = [ $results[] = [
'title' => DI::l10n()->t('Source input (Markdown)'), 'title' => DI::l10n()->t('Source input (Markdown)'),
@ -169,7 +170,7 @@ class Babel extends BaseModule
]; ];
break; break;
case 'html' : case 'html' :
$html = trim($_REQUEST['text']); $html = trim($request['text']);
$results[] = [ $results[] = [
'title' => DI::l10n()->t('Raw HTML input'), 'title' => DI::l10n()->t('Raw HTML input'),
'content' => visible_whitespace($html), 'content' => visible_whitespace($html),
@ -239,7 +240,7 @@ class Babel extends BaseModule
]; ];
break; break;
case 'twitter': case 'twitter':
$json = trim($_REQUEST['text']); $json = trim($request['text']);
if (file_exists('addon/twitter/twitter.php')) { if (file_exists('addon/twitter/twitter.php')) {
require_once 'addon/twitter/twitter.php'; require_once 'addon/twitter/twitter.php';
@ -302,13 +303,14 @@ class Babel extends BaseModule
$tpl = Renderer::getMarkupTemplate('babel.tpl'); $tpl = Renderer::getMarkupTemplate('babel.tpl');
$o = Renderer::replaceMacros($tpl, [ $o = Renderer::replaceMacros($tpl, [
'$title' => DI::l10n()->t('Babel Diagnostic'), '$title' => DI::l10n()->t('Babel Diagnostic'),
'$text' => ['text', DI::l10n()->t('Source text'), $_REQUEST['text'] ?? '', ''], '$form_security_token' => self::getFormSecurityToken('babel'),
'$type_bbcode' => ['type', DI::l10n()->t('BBCode'), 'bbcode', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'bbcode'], '$text' => ['text', DI::l10n()->t('Source text'), $request['text'] ?? '', ''],
'$type_diaspora' => ['type', DI::l10n()->t('Diaspora'), 'diaspora', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'diaspora'], '$type_bbcode' => ['type', DI::l10n()->t('BBCode'), 'bbcode', '', (($request['type'] ?? '') ?: 'bbcode') == 'bbcode'],
'$type_markdown' => ['type', DI::l10n()->t('Markdown'), 'markdown', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'markdown'], '$type_diaspora' => ['type', DI::l10n()->t('Diaspora'), 'diaspora', '', (($request['type'] ?? '') ?: 'bbcode') == 'diaspora'],
'$type_html' => ['type', DI::l10n()->t('HTML'), 'html', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'html'], '$type_markdown' => ['type', DI::l10n()->t('Markdown'), 'markdown', '', (($request['type'] ?? '') ?: 'bbcode') == 'markdown'],
'$type_html' => ['type', DI::l10n()->t('HTML'), 'html', '', (($request['type'] ?? '') ?: 'bbcode') == 'html'],
'$flag_twitter' => file_exists('addon/twitter/twitter.php'), '$flag_twitter' => file_exists('addon/twitter/twitter.php'),
'$type_twitter' => ['type', DI::l10n()->t('Twitter Source / Tweet URL (requires API key)'), 'twitter', '', (($_REQUEST['type'] ?? '') ?: 'bbcode') == 'twitter'], '$type_twitter' => ['type', DI::l10n()->t('Twitter Source / Tweet URL (requires API key)'), 'twitter', '', (($request['type'] ?? '') ?: 'bbcode') == 'twitter'],
'$results' => $results, '$results' => $results,
'$submit' => DI::l10n()->t('Submit'), '$submit' => DI::l10n()->t('Submit'),
]); ]);

View File

@ -1,6 +1,7 @@
<div id="babel" class="generic-page-wrapper"> <div id="babel" class="generic-page-wrapper">
<h2>{{$title}}</h2> <h2>{{$title}}</h2>
<form action="babel" method="post" class="panel panel-default"> <form action="babel" method="post" class="panel panel-default">
<input type="hidden" name="form_security_token" value="{{$form_security_token}}">
<div class="panel-body"> <div class="panel-body">
<div class="form-group"> <div class="form-group">
{{include file="field_textarea.tpl" field=$text}} {{include file="field_textarea.tpl" field=$text}}
@ -30,4 +31,4 @@
{{/foreach}} {{/foreach}}
</div> </div>
</div> </div>
{{/if}} {{/if}}

View File

@ -23,7 +23,7 @@
</span> </span>
{{if $location.name}} {{if $location.name}}
<span role="presentation" aria-hidden="true"> · </span> <span role="presentation" aria-hidden="true"> · </span>
<span class="event-location event-card-location">{{$location.name nofilter}}</span> <span class="event-location event-card-location">{{$location.name}}</span>
{{/if}} {{/if}}
</div> </div>
<div class="event-card-profile-name profile-entry-name"> <div class="event-card-profile-name profile-entry-name">