Update of /cvsroot/mhonarc/mhonarc/MHonArc/lib
In directory subversions:/tmp/cvs-serv10869
Modified Files:
mhtxthtml.pl
Log Message:
* XSS fix.
Index: mhtxthtml.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhtxthtml.pl,v
retrieving revision 2.29
retrieving revision 2.30
diff -C2 -r2.29 -r2.30
*** mhtxthtml.pl 19 Dec 2002 05:14:23 -0000 2.29
--- mhtxthtml.pl 22 Dec 2002 00:48:17 -0000 2.30
***************
*** 183,203 ****
## some browsers are forgiving about dublicating header tags, but
## we try to do things right. It also help minimize XSS exploits.
- $$data =~ s|<!doctype\s[^>]*>||io;
- $$data =~ s|</?html\b[^>]*>||gio;
- $$data =~ s|</?x-html\b[^>]*>||gio;
$$data =~ s|<head\s*>[\s\S]*</head\s*>||io;
! $$data =~ s|</?meta\b[^>]*>||io;
## Strip out style information if requested.
if ($nofont) {
$$data =~ s|<style[^>]*>.*?</style\s*>||gios;
! $$data =~ s|</?font\b[^>]*>||gio;
! $$data =~ s/\b(?:style|class)\s*=\s*"[^"]*"//gio;
! $$data =~ s/\b(?:style|class)\s*=\s*'[^']*'//gio;
! $$data =~ s/\b(?:style|class)\s*=\s*[^\s>]+//gio;
}
## Strip out scripting markup
if ($noscript) {
# Hopefully complete pattern to neutralize javascript:... URLs.
# The pattern is ugly because we have to handle any combination
--- 183,220 ----
## some browsers are forgiving about dublicating header tags, but
## we try to do things right. It also help minimize XSS exploits.
$$data =~ s|<head\s*>[\s\S]*</head\s*>||io;
! 1 while ($$data =~ s|<!doctype\s[^>]*>||gio);
! 1 while ($$data =~ s|</?html\b[^>]*>||gio);
! 1 while ($$data =~ s|</?x-html\b[^>]*>||gio);
! 1 while ($$data =~ s|</?meta\b[^>]*>||gio);
! 1 while ($$data =~ s|</?link\b[^>]*>||gio);
## Strip out style information if requested.
if ($nofont) {
$$data =~ s|<style[^>]*>.*?</style\s*>||gios;
! 1 while ($$data =~ s|</?font\b[^>]*>||gio);
! 1 while ($$data =~ s/\b(?:style|class)\s*=\s*"[^"]*"//gio);
! 1 while ($$data =~ s/\b(?:style|class)\s*=\s*'[^']*'//gio);
! 1 while ($$data =~ s/\b(?:style|class)\s*=\s*[^\s>]+//gio);
! 1 while ($$data =~ s|</?style\b[^>]*>||gi);
}
## Strip out scripting markup
if ($noscript) {
+ # remove scripting elements and attributes
+ $$data =~ s|<script[^>]*>.*?</script\s*>||gios;
+ unless ($nofont) { # avoid dup work if style already stripped
+ $$data =~ s|<style[^>]*>.*?</style\s*>||gios;
+ 1 while ($$data =~ s|</?style\b[^>]*>||gi);
+ }
+ 1 while ($$data =~ s|$SAttr\s*=\s*"[^"]*"||gio); #"
+ 1 while ($$data =~ s|$SAttr\s*=\s*'[^']*'||gio); #'
+ 1 while ($$data =~ s|$SAttr\s*=\s*[^\s>]+||gio);
+ 1 while ($$data =~ s|</?$SElem[^>]*>||gio);
+ 1 while ($$data =~ s|</?script\b||gi);
+
+ # for netscape 4.x browsers
+ $$data =~ s/(=\s*["']?\s*)(?:\&\{)+/$1/g;
+
# Hopefully complete pattern to neutralize javascript:... URLs.
# The pattern is ugly because we have to handle any combination
***************
*** 215,230 ****
/_javascript_/gix;
- # remove scripting elements and attributes
- $$data =~ s|<script[^>]*>.*?</script\s*>||gios;
- $$data =~ s|<style[^>]*>.*?</style\s*>||gios unless $nofont;
- $$data =~ s|$SAttr\s*=\s*"[^"]*"||gio; #"
- $$data =~ s|$SAttr\s*=\s*'[^']*'||gio; #'
- $$data =~ s|$SAttr\s*=\s*[^\s>]+||gio;
- $$data =~ s|</?$SElem[^>]*>||gio;
-
- # just in-case, make sure all script tags are removed
- 1 while ($$data =~ s|</?script\b||gi);
- # for netscape 4.x browsers
- $$data =~ s/(=\s*["']?\s*)\&\{/$1/g;
}
--- 232,235 ----
***************
*** 283,287 ****
}
}
! $$data =~ s|</?body[^>]*>||ig;
my $ahref_tmp;
--- 288,292 ----
}
}
! 1 while ($$data =~ s|</?body\b[^>]*>||ig);
my $ahref_tmp;
***************
*** 375,381 ****
sub resolve_cid {
! my $onlycid = shift;
! my $cid = shift;
my $attachdir = shift;
my $href = $readmail::Cid{$cid};
if (!defined($href)) {
--- 380,389 ----
sub resolve_cid {
! my $onlycid = shift;
! my $cid_in = shift;
my $attachdir = shift;
+ my $cid = $cid_in;
+
+ $cid =~ s/&#(?:x0*40|64);/@/g;
my $href = $readmail::Cid{$cid};
if (!defined($href)) {
***************
*** 384,388 ****
if (!defined($href = $readmail::Cid{$basename})) {
return "" if $onlycid;
! return ($cid =~ /^cid:/i)? "": $cid;
}
$cid = $basename;
--- 392,396 ----
if (!defined($href = $readmail::Cid{$basename})) {
return "" if $onlycid;
! return ($cid =~ /^cid:/i)? "": $cid_in;
}
$cid = $basename;
---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV