tb.inc.php leaks content of auth-protected page

TrackBack implimentation had been removed entirely

BugTrack2/62:

TrackBack implimentation had been removed entirely
due to extremely strong suspicion of violating copyright.
'referer' function (that use the implimentation), also
removed.

メッセージ

tb.inc.php leaks content of protected page as <description> when you query it using "__mode=rss"
also, i think unauthed users should not see received trackbacks even if they figured trackback url. (md5..)

--- orig/plugin/tb.inc.php      Sun Jan 23 12:15:40 2005
+++ plugin/tb.inc.php   Thu Feb 24 18:13:32 2005
@@ -113,18 +114,19 @@
 // ?__mode=rss
 function plugin_tb_mode_rss($tb_id)
 {
-       global $script, $vars, $entity_pattern;
+       global $script, $vars, $entity_pattern, $_title_cannotread;

        $page = tb_id2page($tb_id);
        if ($page === FALSE) return FALSE;

        $items = '';
-       foreach (tb_get(tb_get_filename($page)) as $arr) {
-               // _utime_, title, excerpt, _blog_name_
-               array_shift($arr); // Cut utime
-               list ($url, $title, $excerpt) = array_map(
-                       create_function('$a', 'return htmlspecialchars($a);'), $arr);
-               $items .= <<<EOD
+       if (check_readable($page, FALSE, FALSE))
+               foreach (tb_get(tb_get_filename($page)) as $arr) {
+                       // _utime_, title, excerpt, _blog_name_
+                       array_shift($arr); // Cut utime
+                       list ($url, $title, $excerpt) = array_map(
+                               create_function('$a', 'return htmlspecialchars($a);'), $arr);
+                       $items .= <<<EOD

    <item>
     <title>$title</title>
@@ -132,16 +134,20 @@
     <description>$excerpt</description>
    </item>
 EOD;
-       }
+               }

        $title = htmlspecialchars($page);
        $link  = $script . '?' . rawurlencode($page);
        $vars['page'] = $page;
-       $excerpt = strip_htmltag(convert_html(get_source($page)));
-       $excerpt = preg_replace("/&$entity_pattern;/", '', $excerpt);
-       $excerpt = mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...');
        $lang    = PLUGIN_TB_LANGUAGE;

+       if (check_readable($page, FALSE, FALSE)) {
+               $excerpt = strip_htmltag(convert_html(get_source($page)));
+               $excerpt = preg_replace("/&$entity_pattern;/", '', $excerpt);
+               $excerpt = mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...');
+       } else
+               $excerpt=str_replace('$1', $title, $_title_cannotread);
+
        $rc = <<<EOD
 <?xml version="1.0" encoding="utf-8" ?>
 <response>
@@ -179,20 +185,21 @@
        $tb_refer = sprintf($_tb_refer, '<a href="' . $script . '?' . $r_page .
                '">\'' . $page . '\'</a>', '<a href="' . $script . '">' . $page_title . '</a>');

-       $data = tb_get(tb_get_filename($page));
+       if (check_readable($page, FALSE, FALSE)) {
+               $data = tb_get(tb_get_filename($page));

-       // Sort: The first is the latest
-       usort($data, create_function('$a,$b', 'return $b[0] - $a[0];'));
+               // Sort: The first is the latest
+               usort($data, create_function('$a,$b', 'return $b[0] - $a[0];'));

-       $tb_body = '';
-       foreach ($data as $x) {
-               if (count($x) != 5) continue; // Ignore incorrect record
+               $tb_body = '';
+               foreach ($data as $x) {
+                       if (count($x) != 5) continue; // Ignore incorrect record

-               list ($time, $url, $title, $excerpt, $blog_name) = $x;
-               if ($title == '') $title = 'no title';
+                       list ($time, $url, $title, $excerpt, $blog_name) = $x;
+                       if ($title == '') $title = 'no title';

-               $time = date($_tb_date, $time + LOCALZONE); // May 2, 2003 11:25 AM
-               $tb_body .= <<<EOD
+                       $time = date($_tb_date, $time + LOCALZONE); // May 2, 2003 11:25 AM
+                       $tb_body .= <<<EOD
 <div class="trackback-body">
  <span class="trackback-post"><a href="$url" target="new" rel="nofollow">$title</a><br />
   <strong>$_tb_header_Excerpt</strong> $excerpt<br />
@@ -201,6 +208,7 @@
  </span>
 </div>
 EOD;
+               }
        }
        $msg = <<<EOD
 <?xml version="1.0" encoding="UTF-8"?>

BTW: Trackback from, ... who?

its not tb.inc.php but since we are talking about trackback here.. ;)
I think it would be better if PukiWiki send site name(page_title) as blog_name.

--- orig/lib/trackback.php      Sat Jan 29 22:53:37 2005
+++ lib/trackback.php   Thu Feb 24 17:34:26 2005
@@ -71,7 +71,7 @@
 // $minus = Removed lines may include URLs
 function tb_send($page, $plus, $minus = '')
 {
-       global $script, $trackback;
+       global $script, $trackback, $page_title;

        if (! $trackback) return;

@@ -108,7 +108,7 @@
                'title'     => $page, // Title = It's page name
                'url'       => "$script?$r_page", // will be rawurlencode() at send phase
                'excerpt'   => mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...'),
-               'blog_name' => PLUGIN_TRACKBACK_VERSION,
+               'blog_name' => $page_title .' ('. PLUGIN_TRACKBACK_VERSION .')',
                'charset'   => SOURCE_ENCODING // Ping text encoding (Not defined)
        );

BTW: Let's check trackback-related RDF only

we only need to parse trackback RDF. (theres other type of RDF for other things.. like CC schema for copyright info)

@@ -189,7 +189,7 @@
        if ($data['rc'] !== 200) return '';

        $matches = array();
-       if (! preg_match_all('#<rdf:RDF[^>]*>(.*?)</rdf:RDF>#si', $data['data'],
+       if (! preg_match_all('#<rdf:RDF[^>]*xmlns:trackback[^>]*>(.*?)</rdf:RDF>#si', $data['data'],
            $matches, PREG_PATTERN_ORDER))
                return '';

添付ファイル: filetb.inc.php.diff 580件 [詳細] filetrackback.diff 616件 [詳細]

トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2007-10-03 (水) 19:33:10
Site admin: PukiWiki Development Team

PukiWiki 1.5.3+ © 2001-2020 PukiWiki Development Team. Powered by PHP 5.6.40-0+deb8u10. HTML convert time: 0.265 sec.

OSDN