Block files exploiting IE's mime-sniffing 'feature'
This commit is contained in:
parent
406d287cd1
commit
c544ad9bb8
@ -120,6 +120,7 @@
|
||||
$config['error']['invalidzip'] = 'Invalid archive!';
|
||||
$config['error']['fileexists'] = 'That file <a href="%s">already exists</a>!';
|
||||
$config['error']['delete_too_soon'] = 'You\'ll have to wait another %s before deleting that.';
|
||||
$config['error']['mime_exploit'] = 'MIME type detection XSS exploit (IE) detected; post discarded.';
|
||||
|
||||
// Moderator errors
|
||||
$config['error']['invalid'] = 'Invalid username and/or password.';
|
||||
@ -476,6 +477,9 @@
|
||||
$config['ipv6_regex'] = '((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?';
|
||||
// Make IPv4 addresses look like IPv4 addresses ("::ffff:8.8.8.8" becomes "8.8.8.8")
|
||||
$config['ipv6_ipv4'] = true;
|
||||
// Regular expression to check for IE MIME type detection XSS exploit. To disable, comment the line out
|
||||
// https://github.com/savetheinternet/Tinyboard/issues/20
|
||||
$config['ie_mime_type_detection'] = '/<(?:body|head|html|img|plaintext|pre|script|table|title|a href|channel|scriptlet)/';
|
||||
|
||||
// Allowed file extensions
|
||||
$config['allowed_ext'] = Array('jpg', 'jpeg', 'bmp', 'gif', 'png');
|
||||
|
7
post.php
7
post.php
@ -407,6 +407,13 @@
|
||||
error($config['error']['maxsize']);
|
||||
}
|
||||
|
||||
// Check IE MIME type detection XSS exploit
|
||||
$buffer = file_get_contents($post['file'], null, null, null, 255);
|
||||
if(preg_match($config['ie_mime_type_detection'], $buffer)) {
|
||||
undoImage($post);
|
||||
error($config['error']['mime_exploit']);
|
||||
}
|
||||
|
||||
$post['filehash'] = $config['file_hash']($post['file']);
|
||||
$post['filesize'] = filesize($post['file']);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user