tb.inc.php leaks content of auth-protected page

  • ページ: BugTrack2
  • 投稿者: xo
  • 優先順位: 重要
  • 状態: 却下
  • カテゴリー: プラグイン
  • 投稿日: 2005-02-24 (木) 19:35:06
  • バージョン:

TrackBack implimentation had been removed entirely

BugTrack2/62:

TrackBack implimentation had been removed entirely
due to extremely strong suspicion of violating copyright.
'referer' function (that use the implimentation), also
removed.

メッセージ

tb.inc.php leaks content of protected page as <description> when you query it using "__mode=rss"
also, i think unauthed users should not see received trackbacks even if they figured trackback url. (md5..)

--- orig/plugin/tb.inc.php      Sun Jan 23 12:15:40 2005
+++ plugin/tb.inc.php   Thu Feb 24 18:13:32 2005
@@ -113,18 +114,19 @@
 // ?__mode=rss
 function plugin_tb_mode_rss($tb_id)
 {
-       global $script, $vars, $entity_pattern;
+       global $script, $vars, $entity_pattern, $_title_cannotread;

        $page = tb_id2page($tb_id);
        if ($page === FALSE) return FALSE;

        $items = '';
-       foreach (tb_get(tb_get_filename($page)) as $arr) {
-               // _utime_, title, excerpt, _blog_name_
-               array_shift($arr); // Cut utime
-               list ($url, $title, $excerpt) = array_map(
-                       create_function('$a', 'return htmlspecialchars($a);'), $arr);
-               $items .= <<<EOD
+       if (check_readable($page, FALSE, FALSE))
+               foreach (tb_get(tb_get_filename($page)) as $arr) {
+                       // _utime_, title, excerpt, _blog_name_
+                       array_shift($arr); // Cut utime
+                       list ($url, $title, $excerpt) = array_map(
+                               create_function('$a', 'return htmlspecialchars($a);'), $arr);
+                       $items .= <<<EOD

    <item>
     <title>$title</title>
@@ -132,16 +134,20 @@
     <description>$excerpt</description>
    </item>
 EOD;
-       }
+               }

        $title = htmlspecialchars($page);
        $link  = $script . '?' . rawurlencode($page);
        $vars['page'] = $page;
-       $excerpt = strip_htmltag(convert_html(get_source($page)));
-       $excerpt = preg_replace("/&$entity_pattern;/", '', $excerpt);
-       $excerpt = mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...');
        $lang    = PLUGIN_TB_LANGUAGE;

+       if (check_readable($page, FALSE, FALSE)) {
+               $excerpt = strip_htmltag(convert_html(get_source($page)));
+               $excerpt = preg_replace("/&$entity_pattern;/", '', $excerpt);
+               $excerpt = mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...');
+       } else
+               $excerpt=str_replace('$1', $title, $_title_cannotread);
+
        $rc = <<<EOD
 <?xml version="1.0" encoding="utf-8" ?>
 <response>
@@ -179,20 +185,21 @@
        $tb_refer = sprintf($_tb_refer, '<a href="' . $script . '?' . $r_page .
                '">\'' . $page . '\'</a>', '<a href="' . $script . '">' . $page_title . '</a>');

-       $data = tb_get(tb_get_filename($page));
+       if (check_readable($page, FALSE, FALSE)) {
+               $data = tb_get(tb_get_filename($page));

-       // Sort: The first is the latest
-       usort($data, create_function('$a,$b', 'return $b[0] - $a[0];'));
+               // Sort: The first is the latest
+               usort($data, create_function('$a,$b', 'return $b[0] - $a[0];'));

-       $tb_body = '';
-       foreach ($data as $x) {
-               if (count($x) != 5) continue; // Ignore incorrect record
+               $tb_body = '';
+               foreach ($data as $x) {
+                       if (count($x) != 5) continue; // Ignore incorrect record

-               list ($time, $url, $title, $excerpt, $blog_name) = $x;
-               if ($title == '') $title = 'no title';
+                       list ($time, $url, $title, $excerpt, $blog_name) = $x;
+                       if ($title == '') $title = 'no title';

-               $time = date($_tb_date, $time + LOCALZONE); // May 2, 2003 11:25 AM
-               $tb_body .= <<<EOD
+                       $time = date($_tb_date, $time + LOCALZONE); // May 2, 2003 11:25 AM
+                       $tb_body .= <<<EOD
 <div class="trackback-body">
  <span class="trackback-post"><a href="$url" target="new" rel="nofollow">$title</a><br />
   <strong>$_tb_header_Excerpt</strong> $excerpt<br />
@@ -201,6 +208,7 @@
  </span>
 </div>
 EOD;
+               }
        }
        $msg = <<<EOD
 <?xml version="1.0" encoding="UTF-8"?>
  • Yes. Some plugins (not only tb) yet ignore read/edit auth function. And some of them also don't care about $non_list setting. We have corrected map, touchgraph plugin about $non_list first. Next, we must try to care about read/edit auth. -- henoheno 2005-02-24 (木) 23:01:41
    • I think work-around of these leakage is a very classical but basic way -- removing unused or unknown plugins. -- henoheno 2005-02-24 (木) 23:05:12
    • One more thing -- Creating another _secret_ PukiWiki for secret working group only -- henoheno 2005-02-25 (金) 23:40:04
  • Hmm, how about calling check_readable and check_editable in get_source and page_write? -- xo 2005-02-28 (月) 14:53:38
  • btw, I agree creating another secret PukiWiki is way to go, but I just wanted few private pages. ;) -- xo 2005-02-28 (月) 14:54:39

BTW: Trackback from, ... who?

its not tb.inc.php but since we are talking about trackback here.. ;)
I think it would be better if PukiWiki send site name(page_title) as blog_name.

--- orig/lib/trackback.php      Sat Jan 29 22:53:37 2005
+++ lib/trackback.php   Thu Feb 24 17:34:26 2005
@@ -71,7 +71,7 @@
 // $minus = Removed lines may include URLs
 function tb_send($page, $plus, $minus = '')
 {
-       global $script, $trackback;
+       global $script, $trackback, $page_title;

        if (! $trackback) return;

@@ -108,7 +108,7 @@
                'title'     => $page, // Title = It's page name
                'url'       => "$script?$r_page", // will be rawurlencode() at send phase
                'excerpt'   => mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...'),
-               'blog_name' => PLUGIN_TRACKBACK_VERSION,
+               'blog_name' => $page_title .' ('. PLUGIN_TRACKBACK_VERSION .')',
                'charset'   => SOURCE_ENCODING // Ping text encoding (Not defined)
        );
  • official:続・質問箱/653 -- henoheno 2005-03-09 (水) 22:27:57
  • I feel "$page_title PukiWiki TrackBack 0.2" is too long, Are not you in goodness in "$page_tilte/PukiWiki" ? -- Keruru? 2005-03-10 (木) 15:39:15
  • Please freely. ..seeming be said... ;) -- Keruru? 2005-03-10 (木) 15:40:57
  • Some blog users may want to ignore/remove TrackBack pings from older version(s) of PukiWiki-TrackBack implementation. If there's a good place for version information described at TrackBack specification, the string "PukiWiki TrackBack 0.2" is not needed in 'blog_name'. -- henoheno 2005-03-10 (木) 23:28:42
  • I also agree to the opinion. -- Keruru? 2005-03-11 (金) 00:45:14
  • I check latest TrackBack specification (v1.2), and I understand this(above) is the best answer now :) It's not short though ... -- henoheno 2005-04-10 (日) 18:20:14

BTW: Let's check trackback-related RDF only

we only need to parse trackback RDF. (theres other type of RDF for other things.. like CC schema for copyright info)

@@ -189,7 +189,7 @@
        if ($data['rc'] !== 200) return '';

        $matches = array();
-       if (! preg_match_all('#<rdf:RDF[^>]*>(.*?)</rdf:RDF>#si', $data['data'],
+       if (! preg_match_all('#<rdf:RDF[^>]*xmlns:trackback[^>]*>(.*?)</rdf:RDF>#si', $data['data'],
            $matches, PREG_PATTERN_ORDER))
                return '';

添付ファイル: filetb.inc.php.diff 579件 [詳細] filetrackback.diff 614件 [詳細]

トップ   編集 凍結 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS
Last-modified: 2007-10-03 (水) 19:33:10
Site admin: PukiWiki Development Team

PukiWiki 1.5.2+ © 2001-2019 PukiWiki Development Team. Powered by PHP 5.6.40-0+deb8u8. HTML convert time: 0.226 sec.

OSDN