mhonarc-commits
[Top] [All Lists]
<prev [Date] next>
[Advanced]

CVS: mhonarc/MHonArc/lib mhtxthtml.pl,2.29,2.30

2002-12-21 17:48:23
from [Earl Hood <earl(_at_)earlhood(_dot_)com>] [Permanent Link] 
Update of /cvsroot/mhonarc/mhonarc/MHonArc/lib
In directory subversions:/tmp/cvs-serv10869

Modified Files:
	mhtxthtml.pl 
Log Message:
* XSS fix.


Index: mhtxthtml.pl
===================================================================
RCS file: /cvsroot/mhonarc/mhonarc/MHonArc/lib/mhtxthtml.pl,v
retrieving revision 2.29
retrieving revision 2.30
diff -C2 -r2.29 -r2.30
*** mhtxthtml.pl	19 Dec 2002 05:14:23 -0000	2.29
--- mhtxthtml.pl	22 Dec 2002 00:48:17 -0000	2.30
***************
*** 183,203 ****
      ## some browsers are forgiving about dublicating header tags, but
      ## we try to do things right.  It also help minimize XSS exploits.
-     $$data =~ s|<!doctype\s[^>]*>||io;
-     $$data =~ s|</?html\b[^>]*>||gio;
-     $$data =~ s|</?x-html\b[^>]*>||gio;
      $$data =~ s|<head\s*>[\s\S]*</head\s*>||io;
!     $$data =~ s|</?meta\b[^>]*>||io;
  
      ## Strip out style information if requested.
      if ($nofont) {
  	$$data =~ s|<style[^>]*>.*?</style\s*>||gios;
! 	$$data =~ s|</?font\b[^>]*>||gio;
! 	$$data =~ s/\b(?:style|class)\s*=\s*"[^"]*"//gio;
! 	$$data =~ s/\b(?:style|class)\s*=\s*'[^']*'//gio;
! 	$$data =~ s/\b(?:style|class)\s*=\s*[^\s>]+//gio;
      }
  
      ## Strip out scripting markup
      if ($noscript) {
  	# Hopefully complete pattern to neutralize javascript:... URLs.
  	# The pattern is ugly because we have to handle any combination
--- 183,220 ----
      ## some browsers are forgiving about dublicating header tags, but
      ## we try to do things right.  It also help minimize XSS exploits.
      $$data =~ s|<head\s*>[\s\S]*</head\s*>||io;
!     1 while ($$data =~ s|<!doctype\s[^>]*>||gio);
!     1 while ($$data =~ s|</?html\b[^>]*>||gio);
!     1 while ($$data =~ s|</?x-html\b[^>]*>||gio);
!     1 while ($$data =~ s|</?meta\b[^>]*>||gio);
!     1 while ($$data =~ s|</?link\b[^>]*>||gio);
  
      ## Strip out style information if requested.
      if ($nofont) {
  	$$data =~ s|<style[^>]*>.*?</style\s*>||gios;
! 	1 while ($$data =~ s|</?font\b[^>]*>||gio);
! 	1 while ($$data =~ s/\b(?:style|class)\s*=\s*"[^"]*"//gio);
! 	1 while ($$data =~ s/\b(?:style|class)\s*=\s*'[^']*'//gio);
! 	1 while ($$data =~ s/\b(?:style|class)\s*=\s*[^\s>]+//gio);
! 	1 while ($$data =~ s|</?style\b[^>]*>||gi);
      }
  
      ## Strip out scripting markup
      if ($noscript) {
+ 	# remove scripting elements and attributes
+ 	$$data =~ s|<script[^>]*>.*?</script\s*>||gios;
+ 	unless ($nofont) {  # avoid dup work if style already stripped
+ 	    $$data =~ s|<style[^>]*>.*?</style\s*>||gios;
+ 	    1 while ($$data =~ s|</?style\b[^>]*>||gi);
+ 	}
+ 	1 while ($$data =~ s|$SAttr\s*=\s*"[^"]*"||gio); #"
+ 	1 while ($$data =~ s|$SAttr\s*=\s*'[^']*'||gio); #'
+ 	1 while ($$data =~ s|$SAttr\s*=\s*[^\s>]+||gio);
+ 	1 while ($$data =~ s|</?$SElem[^>]*>||gio);
+ 	1 while ($$data =~ s|</?script\b||gi);
+ 
+ 	# for netscape 4.x browsers
+ 	$$data =~ s/(=\s*["']?\s*)(?:\&\{)+/$1/g;
+ 
  	# Hopefully complete pattern to neutralize javascript:... URLs.
  	# The pattern is ugly because we have to handle any combination
***************
*** 215,230 ****
  		   /_javascript_/gix;
  
- 	# remove scripting elements and attributes
- 	$$data =~ s|<script[^>]*>.*?</script\s*>||gios;
- 	$$data =~ s|<style[^>]*>.*?</style\s*>||gios  unless $nofont;
- 	$$data =~ s|$SAttr\s*=\s*"[^"]*"||gio; #"
- 	$$data =~ s|$SAttr\s*=\s*'[^']*'||gio; #'
- 	$$data =~ s|$SAttr\s*=\s*[^\s>]+||gio;
- 	$$data =~ s|</?$SElem[^>]*>||gio;
- 
- 	# just in-case, make sure all script tags are removed
- 	1 while ($$data =~ s|</?script\b||gi);
- 	# for netscape 4.x browsers
- 	$$data =~ s/(=\s*["']?\s*)\&\{/$1/g;
      }
  
--- 232,235 ----
***************
*** 283,287 ****
  	}
      }
!     $$data =~ s|</?body[^>]*>||ig;
  
      my $ahref_tmp;
--- 288,292 ----
  	}
      }
!     1 while ($$data =~ s|</?body\b[^>]*>||ig);
  
      my $ahref_tmp;
***************
*** 375,381 ****
  
  sub resolve_cid {
!     my $onlycid = shift;
!     my $cid = shift;
      my $attachdir = shift;
      my $href = $readmail::Cid{$cid};
      if (!defined($href)) {
--- 380,389 ----
  
  sub resolve_cid {
!     my $onlycid   = shift;
!     my $cid_in    = shift;
      my $attachdir = shift;
+     my $cid	  = $cid_in;
+ 
+     $cid =~ s/&#(?:x0*40|64);/@/g;
      my $href = $readmail::Cid{$cid};
      if (!defined($href)) {
***************
*** 384,388 ****
  	if (!defined($href = $readmail::Cid{$basename})) {
  	    return ""  if $onlycid;
! 	    return ($cid =~ /^cid:/i)? "": $cid;
  	}
  	$cid = $basename;
--- 392,396 ----
  	if (!defined($href = $readmail::Cid{$basename})) {
  	    return ""  if $onlycid;
! 	    return ($cid =~ /^cid:/i)? "": $cid_in;
  	}
  	$cid = $basename;

---------------------------------------------------------------------
To sign-off this list, send email to majordomo(_at_)mhonarc(_dot_)org with the
message text UNSUBSCRIBE MHONARC-DEV
[More with this subject...]
Previous by Date:  CVS: mhonarc/MHonArc/lib mhamain.pl,2.50,2.50.2.1 mhtxthtml.pl,2.22,2.22.2.1, Earl Hood <earl(_at_)earlhood(_dot_)com>
Next by Date:  CVS: mhonarc homepage.html,1.25,1.26, Earl Hood <earl(_at_)earlhood(_dot_)com>
Previous by Thread:  CVS: mhonarc/MHonArc/lib mhamain.pl,2.50,2.50.2.1 mhtxthtml.pl,2.22,2.22.2.1, Earl Hood <earl(_at_)earlhood(_dot_)com>
Next by Thread:  CVS: mhonarc homepage.html,1.25,1.26, Earl Hood <earl(_at_)earlhood(_dot_)com>
Indexes:  [Date] [Top] [All Lists]