*tb.inc.php leaks content of auth-protected page [#y8fdabc5]

-ページ: [[BugTrack2]]
-投稿者: [[xo]]
-優先順位: 重要
-状態: 却下
-カテゴリー: プラグイン
-投稿日: 2005-02-24 (木) 19:35:06
-バージョン: 

** TrackBack implimentation had been removed entirely [#t9b2175e]
[[BugTrack2/62]]:
 TrackBack implimentation had been removed entirely
 due to extremely strong suspicion of violating copyright.
 'referer' function (that use the implimentation), also
 removed.

**メッセージ [#f4d96e3f]
tb.inc.php leaks content of protected page as <description> when you query it using "''__mode=rss''"~
also, i think unauthed users should not see received trackbacks even if they figured trackback url. (md5..)
 --- orig/plugin/tb.inc.php      Sun Jan 23 12:15:40 2005
 +++ plugin/tb.inc.php   Thu Feb 24 18:13:32 2005
 @@ -113,18 +114,19 @@
  // ?__mode=rss
  function plugin_tb_mode_rss($tb_id)
  {
 -       global $script, $vars, $entity_pattern;
 +       global $script, $vars, $entity_pattern, $_title_cannotread;
 
         $page = tb_id2page($tb_id);
         if ($page === FALSE) return FALSE;
 
         $items = '';
 -       foreach (tb_get(tb_get_filename($page)) as $arr) {
 -               // _utime_, title, excerpt, _blog_name_
 -               array_shift($arr); // Cut utime
 -               list ($url, $title, $excerpt) = array_map(
 -                       create_function('$a', 'return htmlspecialchars($a);'), $arr);
 -               $items .= <<<EOD
 +       if (check_readable($page, FALSE, FALSE))
 +               foreach (tb_get(tb_get_filename($page)) as $arr) {
 +                       // _utime_, title, excerpt, _blog_name_
 +                       array_shift($arr); // Cut utime
 +                       list ($url, $title, $excerpt) = array_map(
 +                               create_function('$a', 'return htmlspecialchars($a);'), $arr);
 +                       $items .= <<<EOD
 
     <item>
      <title>$title</title>
 @@ -132,16 +134,20 @@
      <description>$excerpt</description>
     </item>
  EOD;
 -       }
 +               }
 
         $title = htmlspecialchars($page);
         $link  = $script . '?' . rawurlencode($page);
         $vars['page'] = $page;
 -       $excerpt = strip_htmltag(convert_html(get_source($page)));
 -       $excerpt = preg_replace("/&$entity_pattern;/", '', $excerpt);
 -       $excerpt = mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...');
         $lang    = PLUGIN_TB_LANGUAGE;
 
 +       if (check_readable($page, FALSE, FALSE)) {
 +               $excerpt = strip_htmltag(convert_html(get_source($page)));
 +               $excerpt = preg_replace("/&$entity_pattern;/", '', $excerpt);
 +               $excerpt = mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...');
 +       } else
 +               $excerpt=str_replace('$1', $title, $_title_cannotread);
 +
         $rc = <<<EOD
  <?xml version="1.0" encoding="utf-8" ?>
  <response>
 @@ -179,20 +185,21 @@
         $tb_refer = sprintf($_tb_refer, '<a href="' . $script . '?' . $r_page .
                 '">\'' . $page . '\'</a>', '<a href="' . $script . '">' . $page_title . '</a>');
 
 -       $data = tb_get(tb_get_filename($page));
 +       if (check_readable($page, FALSE, FALSE)) {
 +               $data = tb_get(tb_get_filename($page));
 
 -       // Sort: The first is the latest
 -       usort($data, create_function('$a,$b', 'return $b[0] - $a[0];'));
 +               // Sort: The first is the latest
 +               usort($data, create_function('$a,$b', 'return $b[0] - $a[0];'));
 
 -       $tb_body = '';
 -       foreach ($data as $x) {
 -               if (count($x) != 5) continue; // Ignore incorrect record
 +               $tb_body = '';
 +               foreach ($data as $x) {
 +                       if (count($x) != 5) continue; // Ignore incorrect record
 
 -               list ($time, $url, $title, $excerpt, $blog_name) = $x;
 -               if ($title == '') $title = 'no title';
 +                       list ($time, $url, $title, $excerpt, $blog_name) = $x;
 +                       if ($title == '') $title = 'no title';
 
 -               $time = date($_tb_date, $time + LOCALZONE); // May 2, 2003 11:25 AM
 -               $tb_body .= <<<EOD
 +                       $time = date($_tb_date, $time + LOCALZONE); // May 2, 2003 11:25 AM
 +                       $tb_body .= <<<EOD
  <div class="trackback-body">
   <span class="trackback-post"><a href="$url" target="new" rel="nofollow">$title</a><br />
    <strong>$_tb_header_Excerpt</strong> $excerpt<br />
 @@ -201,6 +208,7 @@
   </span>
  </div>
  EOD;
 +               }
         }
         $msg = <<<EOD
  <?xml version="1.0" encoding="UTF-8"?>
-Yes. Some plugins (not only tb) yet ignore read/edit auth function. And some of them also don't care about ''$non_list'' setting. We have corrected map, touchgraph plugin about $non_list first. Next, we must try to care about read/edit auth. -- [[henoheno]] &new{2005-02-24 (木) 23:01:41};
-- I think work-around of these leakage is a very classical but basic way -- removing unused or unknown plugins. -- [[henoheno]] &new{2005-02-24 (木) 23:05:12};
-- One more thing -- Creating another _secret_ PukiWiki for secret working group only -- [[henoheno]] &new{2005-02-25 (金) 23:40:04};
-Hmm, how about calling check_readable and check_editable in get_source and page_write? -- [[xo]] &new{2005-02-28 (月) 14:53:38};
-btw, I agree creating another secret PukiWiki is way to go, but I just wanted few private pages. ;) -- [[xo]] &new{2005-02-28 (月) 14:54:39};

------------------
** BTW: Trackback from, ... who? [#f60b3373]

its not tb.inc.php but since we are talking about trackback here.. ;)~
I think it would be better if PukiWiki send ''site name''(page_title) as ''blog_name''.
 --- orig/lib/trackback.php      Sat Jan 29 22:53:37 2005
 +++ lib/trackback.php   Thu Feb 24 17:34:26 2005
 @@ -71,7 +71,7 @@
  // $minus = Removed lines may include URLs
  function tb_send($page, $plus, $minus = '')
  {
 -       global $script, $trackback;
 +       global $script, $trackback, $page_title;
 
         if (! $trackback) return;
 
 @@ -108,7 +108,7 @@
                 'title'     => $page, // Title = It's page name
                 'url'       => "$script?$r_page", // will be rawurlencode() at send phase
                 'excerpt'   => mb_strimwidth(preg_replace("/[\r\n]/", ' ', $excerpt), 0, 255, '...'),
 -               'blog_name' => PLUGIN_TRACKBACK_VERSION,
 +               'blog_name' => $page_title .' ('. PLUGIN_TRACKBACK_VERSION .')',
                 'charset'   => SOURCE_ENCODING // Ping text encoding (Not defined)
         );
 
-[[org:続・質問箱/653]] -- [[henoheno]] &new{2005-03-09 (水) 22:27:57};
-[[official:続・質問箱/653]] -- [[henoheno]] &new{2005-03-09 (水) 22:27:57};
-I feel "$page_title PukiWiki TrackBack 0.2" is too long, Are not you in goodness in "$page_tilte/PukiWiki" ? -- [[Keruru]] &new{2005-03-10 (木) 15:39:15};
-Please freely. ..seeming be said... ;) -- [[Keruru]] &new{2005-03-10 (木) 15:40:57};
-Some blog users may want to ignore/remove TrackBack pings from older version(s) of PukiWiki-TrackBack implementation.  If there's a good place for version information described at TrackBack specification, the string "PukiWiki TrackBack 0.2" is not needed in 'blog_name'. -- [[henoheno]] &new{2005-03-10 (木) 23:28:42};
-I also agree to the opinion.  -- [[Keruru]] &new{2005-03-11 (金) 00:45:14};
-I check latest TrackBack specification (v1.2), and I understand this(above) is the best answer now :) It's not short though ... -- [[henoheno]] &new{2005-04-10 (日) 18:20:14};
-- [[cvs:lib/trackback.php]] (1.15-1.16)

//#comment


** BTW: Let's check trackback-related RDF only [#i9c8388e]
we only need to parse trackback RDF. (theres other type of RDF for other things.. like CC schema for copyright info)
 @@ -189,7 +189,7 @@
         if ($data['rc'] !== 200) return '';
 
         $matches = array();
 -       if (! preg_match_all('#<rdf:RDF[^>]*>(.*?)</rdf:RDF>#si', $data['data'],
 +       if (! preg_match_all('#<rdf:RDF[^>]*xmlns:trackback[^>]*>(.*?)</rdf:RDF>#si', $data['data'],
             $matches, PREG_PATTERN_ORDER))
                 return '';

-It works good! :) -- [[henoheno]] &new{2005-04-10 (日) 18:32:21};
-- [[cvs:lib/trackback.php]] (1.17)

トップ   編集 差分 バックアップ 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS
Site admin: PukiWiki Development Team

PukiWiki 1.5.2+ © 2001-2019 PukiWiki Development Team. Powered by PHP 5.6.40-0+deb8u8. HTML convert time: 0.091 sec.

OSDN