4.46 release

Author: kalcaddle

ChangeLog.md

@@ -19,7 +19,7 @@ function __construct() {
 	public function to() {
 		$route = $this->in['URLremote'];
 		if(count($route) >= 3){
-			$app = $route[2];
+			$app = clear_html($route[2]);
 			$action = $route[3];
 
 			if(count($route) == 3){
@@ -136,6 +136,7 @@ public function setConfig(){
 
 	// download=>fileSize=>unzip=>remove
 	public function install(){
+		if(!preg_match("/^[0-9a-zA-Z_]*$/",$this->in['app'])) show_json("error!",false);
 		$app = _DIR_CLEAR($this->in['app']);
 		$appPath = PLUGIN_DIR.$app.'.zip';
 		$appPathTemp = $appPath.'.downloading';
@@ -212,6 +213,7 @@ public function unInstall(){
 		if( !$this->in['app']){
 			show_json(LNG('data_not_full'),false);
 		}
+		if(!preg_match("/^[0-9a-zA-Z_]*$/",$this->in['app'])) show_json("error!",false);
 		$model = $this->loadModel('Plugin');
 		$model->remove($this->in['app']);
 		del_dir(PLUGIN_DIR.$this->in['app']);

app/controller/pluginApp.class.php

@@ -239,7 +239,8 @@ public function sso(){
 				){
 				$result = true;
 			}else{
-				$error = $this->in['check'].' 没有权限, 配置权限需要为: "'.$this->in['value'].'"';
+				$error = clear_html($this->in['check']).' 没有权限, 配置权限需要为: "'
+						.clear_html($this->in['value']).'"';
 			}
 		}
 		if($result){

app/controller/user.class.php

@@ -119,14 +119,11 @@ function mtime(){
 /**
  * 过滤HTML
  */
-function clear_html($HTML, $br = true){
-	$HTML = htmlspecialchars(trim($HTML));
-	$HTML = str_replace("\t", ' ', $HTML);
-	if ($br) {
-		return nl2br($HTML);
-	} else {
-		return str_replace("\n", '', $HTML);
-	} 
+function clear_html($html, $br = true){
+	$html = $html === null ? "" : $html;
+	$replace = array('<','>','"',"'");
+	$replaceTo = array('&lt;','&gt;','&quot;','&#39;');
+	return str_replace($replace,$replaceTo,$html);
 }
 
 /**

app/controller/utils.php

@@ -1035,10 +1035,18 @@ function file_put_out($file,$download=-1,$downFilename=false){
 	}
 	header('Etag: '.$etag);
 	header('Last-Modified: '.$time.' GMT');
-	header("X-OutFileName: ".$filenameOutput);
+	header("X-OutFileName: ".$filename);
 	header("X-Powered-By: kodExplorer.");
 	header("X-FileSize: ".$file_size);
 
+	// 过滤svg中非法script内容; 避免xxs;
+	if(!$download && get_path_ext($filename) == 'svg'){
+		if($file_size > 1024*1024*5) {exit;}
+		$content = file_get_contents($file);
+		$content = removeXXS($content);
+		echo $content;exit;
+	}
+	
 	//远程路径不支持断点续传；打开zip内部文件
 	if(!file_exists($file)){
 		header('HTTP/1.1 200 OK');
@@ -1089,6 +1097,54 @@ function file_put_out($file,$download=-1,$downFilename=false){
 	}
 	fclose($fp);
 }
+function removeXXS($val){
+	$val = preg_replace('/([\x00-\x08\x0b-\x0c\x0e-\x19])/', '', $val);
+	$search = 'abcdefghijklmnopqrstuvwxyz';
+	$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+	$search .= '1234567890!@#$%^&*()';
+	$search .= '~`";:?+/={}[]-_|\'\\';
+	for ($i = 0; $i < strlen($search); $i++) {
+		// ;? matches the ;, which is optional 
+		// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars 
+		// @ @ search for the hex values 
+		$val = preg_replace('/(&#[xX]0{0,8}' . dechex(ord($search[$i])) . ';?)/i', $search[$i], $val); // with a ; 
+		// @ @ 0{0,7} matches '0' zero to seven times  
+		$val = preg_replace('/(&#0{0,8}' . ord($search[$i]) . ';?)/', $search[$i], $val); // with a ; 
+	}
+
+	// now the only remaining whitespace attacks are \t, \n, and \r 
+	$ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
+	
+	$ra1 =  array('javascript', 'vbscript', 'expression','script');// 过多,误判
+	$ra2 = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
+	$ra = array_merge($ra1, $ra2);
+
+	$found = true; // keep replacing as long as the previous round replaced something 
+	while ($found == true) {
+		$val_before = $val;
+		for ($i = 0; $i < sizeof($ra); $i++) {
+			$pattern = '/';
+			for ($j = 0; $j < strlen($ra[$i]); $j++) {
+				if ($j > 0) {
+					$pattern .= '(';
+					$pattern .= '(&#[xX]0{0,8}([9ab]);)';
+					$pattern .= '|';
+					$pattern .= '|(&#0{0,8}([9|10|13]);)';
+					$pattern .= ')*';
+				}
+				$pattern .= $ra[$i][$j];
+			}
+			$pattern .= '/i';
+			$replacement = substr($ra[$i], 0, 2) . '_' . substr($ra[$i], 2); // add in <> to nerf the tag  
+			$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags  
+			if ($val_before == $val) {
+				// no replacements were made, so exit the loop  
+				$found = false;
+			}
+		}
+	}
+	return $val;
+}
 
 /**
  * 远程文件下载到服务器

app/function/common.function.php

@@ -3,6 +3,7 @@
 //扩展名权限判断 有权限则返回1 不是true
 function checkExt($file){
 	if($GLOBALS['isRoot']) return 1;
+	if($file == '.htaccess' || $file == '.user.ini') return false;
 	if (strstr($file,'<') || strstr($file,'>') || $file=='') {
 		return 0;
 	}
@@ -17,7 +18,7 @@ function checkExt($file){
 		$extArr = array_merge($extArr,array('phtml','phtm','htaccess','pwml'));
 	}
 	if(in_array('htm',$extArr) || in_array('html',$extArr)){
-		$extArr = array_merge($extArr,array('html','shtml','shtm','html'));
+		$extArr = array_merge($extArr,array('html','shtml','shtm','html','svg'));
 	}
 	foreach ($extArr as $current) {
 		if ($current !== '' && stristr($file,'.'.$current)){//含有扩展名

app/function/file.function.php

@@ -110,7 +110,8 @@ public static function decode($string,$key = '')
 			$box[$j] = $tmp; 
 			$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
 		}
-		if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0)
+		$theTime = intval(substr($result, 0, 10));
+		if (($theTime == 0 || $theTime - time() > 0)
 		&& substr($result, 10, 16) == substr(md5(substr($result, 26) . $keyb), 0, 16)
 		) {
 			return substr($result, 26);

app/function/helper.function.php

@@ -68,17 +68,15 @@
 	<script type="text/javascript" src="./index.php?share/commonJs&st=api&act=view#id=<?php echo rand_string(4);?>"></script>
 
 	<?php
-		$name = rawurldecode(get_path_this($_GET['path']));
-		if(isset($_GET['name'])){
-			$name = rawurldecode($_GET['name']);
-		}
+		$path = rawurldecode($_GET['path']);
+		$name = get_path_this($path);
+		if(isset($_GET['name'])){$name = rawurldecode($_GET['name']);}
 	?>
 	<script type="text/javascript">
 		G.shareInfo = {
-			path:"<?php echo $_GET['path'];?>",
-			name:"<?php echo get_path_this($_GET['path']);?>",
-			mtime:0,
-			size:0
+			path:"<?php echo clear_html($path);?>",
+			name:"<?php echo clear_html($name);?>",
+			mtime:0,size:0
 		}
 		<?php if(ST.'.'.ACT == 'explorer.fileView'){echo "G.shareInfo.view = true;G.sharePage=undefined;";}?> 
 		G['accessToken'] = "<?php echo access_token_get();?>";

app/kod/Mcrypt.class.php

@@ -83,7 +83,8 @@
 					<i class="font-icon icon-user"></i>
 					<?php 
 						$user = $_SESSION['kodUser'];
-						echo $user['nickName']?$user['nickName']:$user['name'];
+						$name = $user['nickName']?$user['nickName']:$user['name'];
+						echo clear_html($name);
 					?>&nbsp;
 					<b class="caret"></b>
 				</a>