Merge pull request #880 from ArthurHoaro/hotfix/allowed-protocols
Add a whitelist of protocols for URLs
This commit is contained in:
commit
ac94db1e36
8 changed files with 151 additions and 16 deletions
|
@ -63,6 +63,30 @@ function add_trailing_slash($url)
|
||||||
return $url . (!endsWith($url, '/') ? '/' : '');
|
return $url . (!endsWith($url, '/') ? '/' : '');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Replace not whitelisted protocols by 'http://' from given URL.
|
||||||
|
*
|
||||||
|
* @param string $url URL to clean
|
||||||
|
* @param array $protocols List of allowed protocols (aside from http(s)).
|
||||||
|
*
|
||||||
|
* @return string URL with allowed protocol
|
||||||
|
*/
|
||||||
|
function whitelist_protocols($url, $protocols)
|
||||||
|
{
|
||||||
|
if (startsWith($url, '?') || startsWith($url, '/')) {
|
||||||
|
return $url;
|
||||||
|
}
|
||||||
|
$protocols = array_merge(['http', 'https'], $protocols);
|
||||||
|
$protocol = preg_match('#^(\w+):/?/?#', $url, $match);
|
||||||
|
// Protocol not allowed: we remove it and replace it with http
|
||||||
|
if ($protocol === 1 && ! in_array($match[1], $protocols)) {
|
||||||
|
$url = str_replace($match[0], 'http://', $url);
|
||||||
|
} else if ($protocol !== 1) {
|
||||||
|
$url = 'http://' . $url;
|
||||||
|
}
|
||||||
|
return $url;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* URL representation and cleanup utilities
|
* URL representation and cleanup utilities
|
||||||
*
|
*
|
||||||
|
|
|
@ -312,6 +312,7 @@ protected function setDefaultValues()
|
||||||
$this->setEmpty('security.ban_duration', 1800);
|
$this->setEmpty('security.ban_duration', 1800);
|
||||||
$this->setEmpty('security.session_protection_disabled', false);
|
$this->setEmpty('security.session_protection_disabled', false);
|
||||||
$this->setEmpty('security.open_shaarli', false);
|
$this->setEmpty('security.open_shaarli', false);
|
||||||
|
$this->setEmpty('security.allowed_protocols', ['ftp', 'ftps', 'magnet']);
|
||||||
|
|
||||||
$this->setEmpty('general.header_link', '?');
|
$this->setEmpty('general.header_link', '?');
|
||||||
$this->setEmpty('general.links_per_page', 20);
|
$this->setEmpty('general.links_per_page', 20);
|
||||||
|
|
|
@ -1256,13 +1256,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
|
||||||
// Remove duplicates.
|
// Remove duplicates.
|
||||||
$tags = implode(' ', array_unique(explode(' ', $tags)));
|
$tags = implode(' ', array_unique(explode(' ', $tags)));
|
||||||
|
|
||||||
$url = trim($_POST['lf_url']);
|
$url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
|
||||||
if (! startsWith($url, 'http:') && ! startsWith($url, 'https:')
|
|
||||||
&& ! startsWith($url, 'ftp:') && ! startsWith($url, 'magnet:')
|
|
||||||
&& ! startsWith($url, '?') && ! startsWith($url, 'javascript:')
|
|
||||||
) {
|
|
||||||
$url = 'http://' . $url;
|
|
||||||
}
|
|
||||||
|
|
||||||
$link = array(
|
$link = array(
|
||||||
'id' => $id,
|
'id' => $id,
|
||||||
|
|
|
@ -26,7 +26,11 @@ function hook_markdown_render_linklist($data, $conf)
|
||||||
$value = stripNoMarkdownTag($value);
|
$value = stripNoMarkdownTag($value);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
$value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
|
$value['description'] = process_markdown(
|
||||||
|
$value['description'],
|
||||||
|
$conf->get('security.markdown_escape', true),
|
||||||
|
$conf->get('security.allowed_protocols')
|
||||||
|
);
|
||||||
}
|
}
|
||||||
return $data;
|
return $data;
|
||||||
}
|
}
|
||||||
|
@ -46,7 +50,11 @@ function hook_markdown_render_feed($data, $conf)
|
||||||
$value = stripNoMarkdownTag($value);
|
$value = stripNoMarkdownTag($value);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
$value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
|
$value['description'] = process_markdown(
|
||||||
|
$value['description'],
|
||||||
|
$conf->get('security.markdown_escape', true),
|
||||||
|
$conf->get('security.allowed_protocols')
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $data;
|
return $data;
|
||||||
|
@ -71,7 +79,8 @@ function hook_markdown_render_daily($data, $conf)
|
||||||
}
|
}
|
||||||
$value2['formatedDescription'] = process_markdown(
|
$value2['formatedDescription'] = process_markdown(
|
||||||
$value2['formatedDescription'],
|
$value2['formatedDescription'],
|
||||||
$conf->get('security.markdown_escape', true)
|
$conf->get('security.markdown_escape', true),
|
||||||
|
$conf->get('security.allowed_protocols')
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -231,6 +240,25 @@ function reverse_space2nbsp($description)
|
||||||
return preg_replace('/(^| ) /m', '$1 ', $description);
|
return preg_replace('/(^| ) /m', '$1 ', $description);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Replace not whitelisted protocols with http:// in given description.
|
||||||
|
*
|
||||||
|
* @param string $description input description text.
|
||||||
|
* @param array $allowedProtocols list of allowed protocols.
|
||||||
|
*
|
||||||
|
* @return string $description without malicious link.
|
||||||
|
*/
|
||||||
|
function filter_protocols($description, $allowedProtocols)
|
||||||
|
{
|
||||||
|
return preg_replace_callback(
|
||||||
|
'#]\((.*?)\)#is',
|
||||||
|
function ($match) use ($allowedProtocols) {
|
||||||
|
return ']('. whitelist_protocols($match[1], $allowedProtocols) .')';
|
||||||
|
},
|
||||||
|
$description
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Remove dangerous HTML tags (tags, iframe, etc.).
|
* Remove dangerous HTML tags (tags, iframe, etc.).
|
||||||
* Doesn't affect <code> content (already escaped by Parsedown).
|
* Doesn't affect <code> content (already escaped by Parsedown).
|
||||||
|
@ -275,7 +303,7 @@ function ($match) { return escape($match[0]); },
|
||||||
*
|
*
|
||||||
* @return string HTML processed $description.
|
* @return string HTML processed $description.
|
||||||
*/
|
*/
|
||||||
function process_markdown($description, $escape = true)
|
function process_markdown($description, $escape = true, $allowedProtocols = [])
|
||||||
{
|
{
|
||||||
$parsedown = new Parsedown();
|
$parsedown = new Parsedown();
|
||||||
|
|
||||||
|
@ -283,6 +311,7 @@ function process_markdown($description, $escape = true)
|
||||||
$processedDescription = reverse_nl2br($processedDescription);
|
$processedDescription = reverse_nl2br($processedDescription);
|
||||||
$processedDescription = reverse_space2nbsp($processedDescription);
|
$processedDescription = reverse_space2nbsp($processedDescription);
|
||||||
$processedDescription = reverse_text2clickable($processedDescription);
|
$processedDescription = reverse_text2clickable($processedDescription);
|
||||||
|
$processedDescription = filter_protocols($processedDescription, $allowedProtocols);
|
||||||
$processedDescription = unescape($processedDescription);
|
$processedDescription = unescape($processedDescription);
|
||||||
$processedDescription = $parsedown
|
$processedDescription = $parsedown
|
||||||
->setMarkupEscaped($escape)
|
->setMarkupEscaped($escape)
|
||||||
|
|
63
tests/Url/WhitelistProtocolsTest.php
Normal file
63
tests/Url/WhitelistProtocolsTest.php
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
require_once 'application/Url.php';
|
||||||
|
|
||||||
|
use Shaarli\Config\ConfigManager;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Class WhitelistProtocolsTest
|
||||||
|
*
|
||||||
|
* Test whitelist_protocols() function of Url.
|
||||||
|
*/
|
||||||
|
class WhitelistProtocolsTest extends PHPUnit_Framework_TestCase
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Test whitelist_protocols() on a note (relative URL).
|
||||||
|
*/
|
||||||
|
public function testWhitelistProtocolsRelative()
|
||||||
|
{
|
||||||
|
$whitelist = ['ftp', 'magnet'];
|
||||||
|
$url = '?12443564';
|
||||||
|
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
|
||||||
|
$url = '/path.jpg';
|
||||||
|
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test whitelist_protocols() on a note (relative URL).
|
||||||
|
*/
|
||||||
|
public function testWhitelistProtocolMissing()
|
||||||
|
{
|
||||||
|
$whitelist = ['ftp', 'magnet'];
|
||||||
|
$url = 'test.tld/path/?query=value#hash';
|
||||||
|
$this->assertEquals('http://'. $url, whitelist_protocols($url, $whitelist));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test whitelist_protocols() with allowed protocols.
|
||||||
|
*/
|
||||||
|
public function testWhitelistAllowedProtocol()
|
||||||
|
{
|
||||||
|
$whitelist = ['ftp', 'magnet'];
|
||||||
|
$url = 'http://test.tld/path/?query=value#hash';
|
||||||
|
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
|
||||||
|
$url = 'https://test.tld/path/?query=value#hash';
|
||||||
|
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
|
||||||
|
$url = 'ftp://test.tld/path/?query=value#hash';
|
||||||
|
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
|
||||||
|
$url = 'magnet:test.tld/path/?query=value#hash';
|
||||||
|
$this->assertEquals($url, whitelist_protocols($url, $whitelist));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test whitelist_protocols() with allowed protocols.
|
||||||
|
*/
|
||||||
|
public function testWhitelistDisallowedProtocol()
|
||||||
|
{
|
||||||
|
$whitelist = ['ftp', 'magnet'];
|
||||||
|
$url = 'javascript:alert("xss");';
|
||||||
|
$this->assertEquals('http://alert("xss");', whitelist_protocols($url, $whitelist));
|
||||||
|
$url = 'other://test.tld/path/?query=value#hash';
|
||||||
|
$this->assertEquals('http://test.tld/path/?query=value#hash', whitelist_protocols($url, $whitelist));
|
||||||
|
}
|
||||||
|
}
|
|
@ -26,6 +26,7 @@ public function setUp()
|
||||||
{
|
{
|
||||||
PluginManager::$PLUGINS_PATH = 'plugins';
|
PluginManager::$PLUGINS_PATH = 'plugins';
|
||||||
$this->conf = new ConfigManager('tests/utils/config/configJson');
|
$this->conf = new ConfigManager('tests/utils/config/configJson');
|
||||||
|
$this->conf->set('security.allowed_protocols', ['ftp', 'magnet']);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -183,15 +184,19 @@ public function testNoMarkdownNotExcactlyMatching()
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Test hashtag links processed with markdown.
|
* Make sure that the generated HTML match the reference HTML file.
|
||||||
*/
|
*/
|
||||||
public function testMarkdownHashtagLinks()
|
public function testMarkdownGlobalProcessDescription()
|
||||||
{
|
{
|
||||||
$md = file_get_contents('tests/plugins/resources/markdown.md');
|
$md = file_get_contents('tests/plugins/resources/markdown.md');
|
||||||
$md = format_description($md);
|
$md = format_description($md);
|
||||||
$html = file_get_contents('tests/plugins/resources/markdown.html');
|
$html = file_get_contents('tests/plugins/resources/markdown.html');
|
||||||
|
|
||||||
$data = process_markdown($md);
|
$data = process_markdown(
|
||||||
|
$md,
|
||||||
|
$this->conf->get('security.markdown_escape', true),
|
||||||
|
$this->conf->get('security.allowed_protocols')
|
||||||
|
);
|
||||||
$this->assertEquals($html, $data);
|
$this->assertEquals($html, $data);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -21,4 +21,13 @@
|
||||||
next #foo</code></pre>
|
next #foo</code></pre>
|
||||||
<p>Block:</p>
|
<p>Block:</p>
|
||||||
<pre><code>lorem ipsum #foobar http://link.tld
|
<pre><code>lorem ipsum #foobar http://link.tld
|
||||||
#foobar http://link.tld</code></pre></div>
|
#foobar http://link.tld</code></pre>
|
||||||
|
<p><a href="?123456">link</a><br />
|
||||||
|
<img src="/img/train.png" alt="link" /><br />
|
||||||
|
<a href="http://test.tld/path/?query=value#hash">link</a><br />
|
||||||
|
<a href="http://test.tld/path/?query=value#hash">link</a><br />
|
||||||
|
<a href="https://test.tld/path/?query=value#hash">link</a><br />
|
||||||
|
<a href="ftp://test.tld/path/?query=value#hash">link</a><br />
|
||||||
|
<a href="magnet:test.tld/path/?query=value#hash">link</a><br />
|
||||||
|
<a href="http://alert('xss')">link</a><br />
|
||||||
|
<a href="http://test.tld/path/?query=value#hash">link</a></p></div>
|
|
@ -21,4 +21,14 @@ Block:
|
||||||
```
|
```
|
||||||
lorem ipsum #foobar http://link.tld
|
lorem ipsum #foobar http://link.tld
|
||||||
#foobar http://link.tld
|
#foobar http://link.tld
|
||||||
```
|
```
|
||||||
|
|
||||||
|
[link](?123456)
|
||||||
|
![link](/img/train.png)
|
||||||
|
[link](test.tld/path/?query=value#hash)
|
||||||
|
[link](http://test.tld/path/?query=value#hash)
|
||||||
|
[link](https://test.tld/path/?query=value#hash)
|
||||||
|
[link](ftp://test.tld/path/?query=value#hash)
|
||||||
|
[link](magnet:test.tld/path/?query=value#hash)
|
||||||
|
[link](javascript:alert('xss'))
|
||||||
|
[link](other://test.tld/path/?query=value#hash)
|
Loading…
Reference in a new issue