Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch/2.17.2-p2 #751

Merged
merged 2 commits into from
Aug 17, 2023
+105 −7
Merged

Patch/2.17.2-p2 #751

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fc69fcf
商品管理・メールテンプレートのXSS対応
dotani1111 Jul 26, 2023
4bfdc5a
p1->p2の対応
shinya Aug 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion data/class/SC_Initial.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
public function __construct()
{
/** EC-CUBEのバージョン */
define('ECCUBE_VERSION', '2.17.2-p1');
define('ECCUBE_VERSION', '2.17.2-p2');
}

/**
Expand Down Expand Up @@ -507,11 +507,11 @@
return;
}

$netUrlRequest = new Net_URL($_SERVER['REQUEST_URI']);

Check failure on line 510 in data/class/SC_Initial.php

View workflow job for this annotation

GitHub Actions / PHPStan 

Class Net_URL does not have a constructor and must be instantiated without any parameters.
// 要求を受けたホスト名
$request_hostname = $netUrlRequest->host;

$netUrlCorrect = new Net_URL(SC_Utils_Ex::sfIsHTTPS() ? HTTPS_URL : HTTP_URL);

Check failure on line 514 in data/class/SC_Initial.php

View workflow job for this annotation

GitHub Actions / PHPStan 

Class Net_URL does not have a constructor and must be instantiated without any parameters.
// 設定上のホスト名
$correct_hostname = $netUrlCorrect->host;

Expand Down
36 changes: 30 additions & 6 deletions data/smarty_extends/modifier.script_escape.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,36 @@ function smarty_modifier_script_escape($value)
{
if (is_array($value)) return $value;

$pattern = "/<script.*?>|<\/script>|javascript:|<svg.*(onload|onerror).*?>|<img.*(onload|onerror).*?>|<body.*onload.*?>|<iframe.*?>|<object.*?>|<embed.*?>|<.*onmouse.*?>|(\"|').*(onmouse|onerror|onload|onclick).*=.*(\"|').*/i";
$pattern = "<script.*?>|<\/script>|javascript:|<svg.*(onload|onerror).*?>|<img.*(onload|onerror).*?>|<body.*onload.*?>|<iframe.*?>|<object.*?>|<embed.*?>|";

// 追加でサニタイズするイベント一覧
$escapeEvents = array(
'onmouse',
'onclick',
'onblur',
'onfocus',
'onresize',
'onscroll',
'ondblclick',
'onchange',
'onselect',
'onsubmit',
'onkey',
);

// イベント毎の正規表現を生成
$generateHtmlTagPatterns = array_map(function($str) {
return "<(\w+)([^>]*\s)?\/?".$str."[^>]*>";
}, $escapeEvents);
$pattern .= implode("|", $generateHtmlTagPatterns)."|";
$pattern .= "(\"|').*(onerror|onload|".implode("|", $escapeEvents).").*=.*(\"|').*";

// 正規表現をまとめる
$attributesPattern = "/${pattern}/i";

// 置き換える文字列
$convert = '#script tag escaped#';

if (preg_match_all($pattern, $value, $matches)) {
return preg_replace($pattern, $convert, $value);
} else {
return $value;
}
// マッチしたら文字列を置き換える
return preg_replace($attributesPattern, $convert, $value);
}
74 changes: 74 additions & 0 deletions tests/class/modifier/Modifier_ScriptEscapeTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
<?php
require 'data/smarty_extends/modifier.script_escape.php';

/**
*
*/
class Modifier_ScriptEscapeTest extends PHPUnit_Framework_TestCase
{
public function scriptEscapeProvider()
{
return array(
array('<script type="text/javascript"></script>'),
array('<svg onload="alert(1)">test</svg>'),
array('<img onload="alert(1)">test</img>'),
array('<body onload="alert(1)">test</body>'),
array('<iframe></iframe>'),
array('<object></object>'),
array('<embed>'),
array('\"onclick=\"alert(1)\"'),
array('<p onclick="alert(1)">test</p>'),
array('<p onsubmit="alert(1)">test</p>'),
array('<p style="" onclick="alert(1)">test</p>'),
array('<input type="button"onfocus="alert(1)">'),
array('<input type="button" onblur="alert(1)">'),
array('<input onfocus="alert(1)" type="button">'),
array('<body onresize="alert(1)">'),
array('<div onscroll="alert(1)">'),
array('<div>javascript:test()</div>'),
array('<input type="button" ondblclick="alert(1)">'),
array('<input type="text" onchange="alert(1);">'),
array('<input type="text" onselect="alert(1);">'),
array('<form onsubmit="alert(1);">'),
array('<input type="button" onkeydown="alert(1)">'),
array('<input type="button" onkeypress="alert(1)">'),
array('<input type="button" onkeyup="alert(1)">'),
array('<input type=\"button\"\nonclick=\"alert(1)\">'),
array('<div/onscroll="alert(1)">'),
);
}

public function scriptNoEscapeProvider()
{
return array(
array('<p>test</p>'),
array('<input type="button">'),
array('<p>onclick</p>'),
array('<div>test</div>'),
array('<textarea>onclick="alert(1)";</textarea>'),
array('<p>onclick="\ntest();"</p>'),
array('<onclock'),
array('<oncl\nick'),
);
}

/**
* @dataProvider scriptEscapeProvider
*/
public function testメールテンプレート_エスケープされる($value)
{
$ret = smarty_modifier_script_escape($value);
$pattern = "/#script tag escaped#/";
$this->assertRegExp($pattern, $ret);
}

/**
* @dataProvider scriptNoEscapeProvider
*/
public function testメールテンプレート_エスケープされない($value)
{
$ret = smarty_modifier_script_escape($value);
$pattern = "/#script tag escaped#/";
$this->assertNotRegExp($pattern, $ret);
}
}
Loading