From c544ad9bb8c034eee1213991aac1cd2213a05d10 Mon Sep 17 00:00:00 2001 From: Savetheinternet Date: Sun, 10 Apr 2011 22:31:08 +1000 Subject: [PATCH] Block files exploiting IE's mime-sniffing 'feature' --- inc/config.php | 4 ++++ post.php | 7 +++++++ 2 files changed, 11 insertions(+) diff --git a/inc/config.php b/inc/config.php index b67ddb10..abe8db62 100644 --- a/inc/config.php +++ b/inc/config.php @@ -120,6 +120,7 @@ $config['error']['invalidzip'] = 'Invalid archive!'; $config['error']['fileexists'] = 'That file already exists!'; $config['error']['delete_too_soon'] = 'You\'ll have to wait another %s before deleting that.'; + $config['error']['mime_exploit'] = 'MIME type detection XSS exploit (IE) detected; post discarded.'; // Moderator errors $config['error']['invalid'] = 'Invalid username and/or password.'; @@ -476,6 +477,9 @@ $config['ipv6_regex'] = '((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?'; // Make IPv4 addresses look like IPv4 addresses ("::ffff:8.8.8.8" becomes "8.8.8.8") $config['ipv6_ipv4'] = true; + // Regular expression to check for IE MIME type detection XSS exploit. To disable, comment the line out + // https://github.com/savetheinternet/Tinyboard/issues/20 + $config['ie_mime_type_detection'] = '/<(?:body|head|html|img|plaintext|pre|script|table|title|a href|channel|scriptlet)/'; // Allowed file extensions $config['allowed_ext'] = Array('jpg', 'jpeg', 'bmp', 'gif', 'png'); diff --git a/post.php b/post.php index 6e971ff1..53e0447b 100644 --- a/post.php +++ b/post.php @@ -407,6 +407,13 @@ error($config['error']['maxsize']); } + // Check IE MIME type detection XSS exploit + $buffer = file_get_contents($post['file'], null, null, null, 255); + if(preg_match($config['ie_mime_type_detection'], $buffer)) { + undoImage($post); + error($config['error']['mime_exploit']); + } + $post['filehash'] = $config['file_hash']($post['file']); $post['filesize'] = filesize($post['file']);