4.46 release

ChangeLog.md

@@ -1,5 +1,5 @@
-
-
+### ver4.46 `2021/7/10`
+- 修复部分安全问题: 文件名,markdown的xxs,svg的xxs,ssrf; zip压缩包内文件名;文件名分享;文件预览API
 ### ver4.45 `2021/04/07` 
 - 更新检测文件多种引入方式;
 - php7.4,php8兼容

app/controller/pluginApp.class.php

@@ -19,7 +19,7 @@ function __construct() {
 	public function to() {
 		$route = $this->in['URLremote'];
 		if(count($route) >= 3){
-			$app = $route[2];
+			$app = clear_html($route[2]);
 			$action = $route[3];
 
 			if(count($route) == 3){
@@ -136,6 +136,7 @@ public function setConfig(){
 
 	// download=>fileSize=>unzip=>remove
 	public function install(){
+		if(!preg_match("/^[0-9a-zA-Z_]*$/",$this->in['app'])) show_json("error!",false);
 		$app = _DIR_CLEAR($this->in['app']);
 		$appPath = PLUGIN_DIR.$app.'.zip';
 		$appPathTemp = $appPath.'.downloading';
@@ -212,6 +213,7 @@ public function unInstall(){
 		if( !$this->in['app']){
 			show_json(LNG('data_not_full'),false);
 		}
+		if(!preg_match("/^[0-9a-zA-Z_]*$/",$this->in['app'])) show_json("error!",false);
 		$model = $this->loadModel('Plugin');
 		$model->remove($this->in['app']);
 		del_dir(PLUGIN_DIR.$this->in['app']);

app/controller/user.class.php

@@ -239,7 +239,8 @@ public function sso(){
 				){
 				$result = true;
 			}else{
-				$error = $this->in['check'].' 没有权限, 配置权限需要为: "'.$this->in['value'].'"';
+				$error = clear_html($this->in['check']).' 没有权限, 配置权限需要为: "'
+						.clear_html($this->in['value']).'"';
 			}
 		}
 		if($result){

app/function/common.function.php

@@ -119,14 +119,11 @@ function mtime(){
 /**
  * 过滤HTML
  */
-function clear_html($HTML, $br = true){
-	$HTML = htmlspecialchars(trim($HTML));
-	$HTML = str_replace("\t", ' ', $HTML);
-	if ($br) {
-		return nl2br($HTML);
-	} else {
-		return str_replace("\n", '', $HTML);
-	} 
+function clear_html($html, $br = true){
+	$html = $html === null ? "" : $html;
+	$replace = array('<','>','"',"'");
+	$replaceTo = array('&lt;','&gt;','&quot;','&#39;');
+	return str_replace($replace,$replaceTo,$html);
 }
 
 /**

app/function/file.function.php

@@ -1035,10 +1035,18 @@ function file_put_out($file,$download=-1,$downFilename=false){
 	}
 	header('Etag: '.$etag);
 	header('Last-Modified: '.$time.' GMT');
-	header("X-OutFileName: ".$filenameOutput);
+	header("X-OutFileName: ".$filename);
 	header("X-Powered-By: kodExplorer.");
 	header("X-FileSize: ".$file_size);
 
+	// 过滤svg中非法script内容; 避免xxs;
+	if(!$download && get_path_ext($filename) == 'svg'){
+		if($file_size > 1024*1024*5) {exit;}
+		$content = file_get_contents($file);
+		$content = removeXXS($content);
+		echo $content;exit;
+	}
+
 	//远程路径不支持断点续传；打开zip内部文件
 	if(!file_exists($file)){
 		header('HTTP/1.1 200 OK');
@@ -1089,6 +1097,54 @@ function file_put_out($file,$download=-1,$downFilename=false){
 	}
 	fclose($fp);
 }
+function removeXXS($val){
+	$val = preg_replace('/([\x00-\x08\x0b-\x0c\x0e-\x19])/', '', $val);
+	$search = 'abcdefghijklmnopqrstuvwxyz';
+	$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+	$search .= '1234567890!@#$%^&*()';
+	$search .= '~`";:?+/={}[]-_|\'\\';
+	for ($i = 0; $i < strlen($search); $i++) {
+		// ;? matches the ;, which is optional 
+		// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars 
+		// @ @ search for the hex values 
+		$val = preg_replace('/(&#[xX]0{0,8}' . dechex(ord($search[$i])) . ';?)/i', $search[$i], $val); // with a ; 
+		// @ @ 0{0,7} matches '0' zero to seven times  
+		$val = preg_replace('/(&#0{0,8}' . ord($search[$i]) . ';?)/', $search[$i], $val); // with a ; 
+	}
+
+	// now the only remaining whitespace attacks are \t, \n, and \r 
+	$ra1 = array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
+
+	$ra1 =  array('javascript', 'vbscript', 'expression','script');// 过多,误判
+	$ra2 = array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
+	$ra = array_merge($ra1, $ra2);
+
+	$found = true; // keep replacing as long as the previous round replaced something 
+	while ($found == true) {
+		$val_before = $val;
+		for ($i = 0; $i < sizeof($ra); $i++) {
+			$pattern = '/';
+			for ($j = 0; $j < strlen($ra[$i]); $j++) {
+				if ($j > 0) {
+					$pattern .= '(';
+					$pattern .= '(&#[xX]0{0,8}([9ab]);)';
+					$pattern .= '|';
+					$pattern .= '|(&#0{0,8}([9|10|13]);)';
+					$pattern .= ')*';
+				}
+				$pattern .= $ra[$i][$j];
+			}
+			$pattern .= '/i';
+			$replacement = substr($ra[$i], 0, 2) . '_' . substr($ra[$i], 2); // add in <> to nerf the tag  
+			$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags  
+			if ($val_before == $val) {
+				// no replacements were made, so exit the loop  
+				$found = false;
+			}
+		}
+	}
+	return $val;
+}
 
 /**
  * 远程文件下载到服务器

app/function/helper.function.php

@@ -3,6 +3,7 @@
 //扩展名权限判断 有权限则返回1 不是true
 function checkExt($file){
 	if($GLOBALS['isRoot']) return 1;
+	if($file == '.htaccess' || $file == '.user.ini') return false;
 	if (strstr($file,'<') || strstr($file,'>') || $file=='') {
 		return 0;
 	}
@@ -17,7 +18,7 @@ function checkExt($file){
 		$extArr = array_merge($extArr,array('phtml','phtm','htaccess','pwml'));
 	}
 	if(in_array('htm',$extArr) || in_array('html',$extArr)){
-		$extArr = array_merge($extArr,array('html','shtml','shtm','html'));
+		$extArr = array_merge($extArr,array('html','shtml','shtm','html','svg'));
 	}
 	foreach ($extArr as $current) {
 		if ($current !== '' && stristr($file,'.'.$current)){//含有扩展名

app/kod/Mcrypt.class.php

@@ -110,7 +110,8 @@ public static function decode($string,$key = '')
 			$box[$j] = $tmp; 
 			$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
 		}
-		if ((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0)
+		$theTime = intval(substr($result, 0, 10));
+		if (($theTime == 0 || $theTime - time() > 0)
 		&& substr($result, 10, 16) == substr(md5(substr($result, 26) . $keyb), 0, 16)
 		) {
 			return substr($result, 26);

app/template/api/view.html

@@ -68,17 +68,15 @@
 	<script type="text/javascript" src="./index.php?share/commonJs&st=api&act=view#id=<?php echo rand_string(4);?>"></script>
 
 	<?php
-		$name = rawurldecode(get_path_this($_GET['path']));
-		if(isset($_GET['name'])){
-			$name = rawurldecode($_GET['name']);
-		}
+		$path = rawurldecode($_GET['path']);
+		$name = get_path_this($path);
+		if(isset($_GET['name'])){$name = rawurldecode($_GET['name']);}
 	?>
 	<script type="text/javascript">
 		G.shareInfo = {
-			path:"<?php echo $_GET['path'];?>",
-			name:"<?php echo get_path_this($_GET['path']);?>",
-			mtime:0,
-			size:0
+			path:"<?php echo clear_html($path);?>",
+			name:"<?php echo clear_html($name);?>",
+			mtime:0,size:0
 		}
 		<?php if(ST.'.'.ACT == 'explorer.fileView'){echo "G.shareInfo.view = true;G.sharePage=undefined;";}?> 
 		G['accessToken'] = "<?php echo access_token_get();?>";

app/template/common/navbar.html

@@ -83,7 +83,8 @@
 					<i class="font-icon icon-user"></i>
 					<?php 
 						$user = $_SESSION['kodUser'];
-						echo $user['nickName']?$user['nickName']:$user['name'];
+						$name = $user['nickName']?$user['nickName']:$user['name'];
+						echo clear_html($name);
 					?>&nbsp;
 					<b class="caret"></b>
 				</a>

app/template/common/navbarShare.html

@@ -17,7 +17,7 @@
 			<div class="share-info">
 				<span class="share-title">
 					<b class="share-title-info">
-					<?php echo isset($shareInfo['showName'])?clear_html($shareInfo['showName']):clear_html($shareInfo['name']);?>
+					<?php clear_html($shareInfo['showName']);?>
 					</b> 
 				</span>
 				<span class="size"></span>

app/template/editor/editor.html

@@ -38,7 +38,7 @@
 	</div><!-- / frame-main end-->
 	<?php include(TEMPLATE.'common/footerCommon.html');?>
 	<script type="text/javascript">
-		G.project = "<?php echo (isset($_GET['project'])?clear_html($_GET['project']):'') ;?>";
+		G.project = "<?php echo clear_html($_GET['project']) ;?>";
 		seajs.use("app/src/editor/main");
 	</script>
 </body>

app/template/explorer/explorerWap.html

@@ -19,7 +19,7 @@
 				echo '<img src="'.$avatar.'"/>';
 			?>
 			</span>
-			<div><h3 class="name"><?php echo $name;?></h3></div>
+			<div><h3 class="name"><?php echo clear_html($name);?></h3></div>
 		</div>
 		<ul class="left-menu-path"></ul>
 	</div>

app/template/share/edit.html

@@ -1,5 +1,5 @@
 <?php include(TEMPLATE.'common/header.html');?>
-	<title><?php echo $shareInfo['name'].' - '.LNG('share_title').' - '.strip_tags(LNG('kod_name')).LNG('kod_power_by');?></title>
+	<title><?php echo clear_html($shareInfo['name']).' - '.LNG('share_title').' - '.strip_tags(LNG('kod_name')).LNG('kod_power_by');?></title>
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/skin/base/app_code_edit.css?ver=<?php echo KOD_VERSION;?>"/>
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/skin/<?php echo $configTheme;?>.css?ver=<?php echo KOD_VERSION;?>" id='link-theme-style'/>
 

app/template/share/editor.html

@@ -1,5 +1,5 @@
 <?php include(TEMPLATE.'common/header.html');?>
-	<title><?php echo $shareInfo['name'].' - '.LNG('share_title').' - '.strip_tags(LNG('kod_name')).LNG('kod_power_by');?></title>
+	<title><?php echo clear_html($shareInfo['name']).' - '.LNG('share_title').' - '.strip_tags(LNG('kod_name')).LNG('kod_power_by');?></title>
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/skin/base/app_editor.css?ver=<?php echo KOD_VERSION;?>"/>
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/skin/<?php echo $configTheme;?>.css?ver=<?php echo KOD_VERSION;?>" id='link-theme-style'/>
 

app/template/share/explorer.html

@@ -1,5 +1,5 @@
 <?php include(TEMPLATE.'common/header.html');?>
-	<title><?php echo $shareInfo['name'].' - '.LNG('share_title').' - '.strip_tags(LNG('kod_name')).LNG('kod_power_by');?></title>
+	<title><?php echo clear_html($shareInfo['name']).' - '.LNG('share_title').' - '.strip_tags(LNG('kod_name')).LNG('kod_power_by');?></title>
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/skin/base/app_explorer.css?ver=<?php echo KOD_VERSION;?>"/>
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/skin/<?php echo $configTheme;?>.css?ver=<?php echo KOD_VERSION;?>" id='link-theme-style'/>
 
@@ -42,7 +42,7 @@
 	<?php include(TEMPLATE.'common/footer.html');?>
 	<script type="text/javascript" >
 		AUTH  = {'explorer.fileDownload':<?php echo clear_html($canDownload);?>};
-		G.thisPath = "<?php echo $dir;?>";
+		G.thisPath = "<?php echo clear_html($dir);?>";
 		G.user = "<?php echo clear_html($_GET['user']);?>";
 		G.sid = "<?php echo clear_html($_GET['sid']);?>";
 		G.shareInfo = <?php echo json_encode($shareInfo);?>;

app/template/share/explorerWap.html

@@ -5,7 +5,7 @@
 <body>
 	<div class="frame-main">
 		<div class="frame-header">
-			<div class="title"><?php echo $shareInfo['name'];?></div>
+			<div class="title"><?php echo clear_html($shareInfo['name']);?></div>
 			<div class="menu-group">
 				<div class="btn-list-icon"><i class="font-icon icon-home"></i></div>
 			</div>

app/template/share/file.html

@@ -1,5 +1,5 @@
 <?php include(TEMPLATE.'common/header.html');?>
-	<title><?php echo $shareInfo['name'].' - '.LNG('share_title').' - '.strip_tags(LNG('kod_name')).LNG('kod_power_by');?></title>
+	<title><?php echo clear_html($shareInfo['name']).' - '.LNG('share_title').' - '.strip_tags(LNG('kod_name')).LNG('kod_power_by');?></title>
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/skin/base/app_code_edit.css?ver=<?php echo KOD_VERSION;?>"/>
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/skin/<?php echo $configTheme;?>.css?ver=<?php echo KOD_VERSION;?>" id='link-theme-style'/>
 
@@ -29,7 +29,7 @@
 	<script type="text/javascript">
 		AUTH  = {'explorer.fileDownload':<?php echo $canDownload;?>};
 		G.user = "<?php echo clear_html($_GET['user']);?>";
-		G.path = "<?php echo (isset($_GET['path'])?clear_html($_GET['path']):'') ;?>";
+		G.path = "<?php echo clear_html($_GET['path']);?>";
 		G.sid = "<?php echo clear_html($_GET['sid']);?>";
 		G.shareInfo = <?php echo json_encode($shareInfo);?>;
 		G.theme = "<?php echo $configTheme;?>";

config/version.php

@@ -1,3 +1,3 @@
 <?php
-define('KOD_VERSION','4.45');
-define('KOD_VERSION_BUILD','0409');//time(),0409
+define('KOD_VERSION','4.46');
+define('KOD_VERSION_BUILD','0713');//time(),0409

plugins/webodf/package.json

@@ -2,7 +2,7 @@
 	"id":"webodf",
 	"name":"Opendocument Viewer",
 	"title":"",
-	"version":"1.22",
+	"version":"1.23",
 	"source":{
 		"className":"x-item-file x-odt",
 		"icon":""

plugins/webodf/php/template.php

@@ -3,7 +3,7 @@
 <head>
 	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> 
 	<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-	<title><?php echo $fileName;?></title>
+	<title><?php echo clear_html($fileName);?></title>
 </head>
 
 <?php if(get_path_ext($path) == 'odt'){ ?>
@@ -24,7 +24,7 @@
 	<div id="odf"></div>
 	<script src="<?php echo $this->pluginHost;?>static/webodf.js" type="text/javascript" charset="utf-8"></script>
 	<script type="text/javascript">
-    	var fileURL = "<?php echo $fileUrl;?>";
+    	var fileURL = "<?php echo clear_html($fileUrl);?>";
 		var odfelement = document.getElementById("odf"),
 		odfcanvas = new odf.OdfCanvas(odfelement);
 		odfcanvas.load(fileURL);

plugins/yzOffice/package.json

@@ -2,7 +2,7 @@
 	"id":"yzOffice",
 	"name":"{{LNG.yzOffice.meta.name}}",
 	"title":"{{LNG.yzOffice.meta.title}}",
-	"version":"1.36",
+	"version":"1.37",
 	"category":"file",
 	"source":{
 		"icon":"{{pluginHost}}static/images/icon.png"

plugins/yzOffice/php/template.php

@@ -4,7 +4,7 @@
 	<meta charset="utf-8">
 	<link rel="stylesheet" href="<?php echo STATIC_PATH;?>style/common.css" type="text/css">
 	<link rel="stylesheet" href="./static/style/font-awesome/css/font-awesome.css">
-	<title><?php echo $fileName;?></title>
+	<title><?php echo clear_html($fileName);?></title>
 	<style>
 		body {margin: 0;font-family: "Helvetica Neue Light", "Segoe UI Semilight", sans-serif;}
 		.infoButtonPrint{
@@ -82,7 +82,7 @@
 			"yzOffice.Main.convert":"<?php echo LNG('yzOffice.Main.convert');?>",
 			"yzOffice.Main.transferAgain":"<?php echo LNG('yzOffice.Main.transferAgain');?>"
 		};
-		var path     = '<?php echo $this->in["path"];?>';
+		var path     = '<?php echo clear_html($this->in["path"]);?>';
 		var apiBase  = "<?php echo $this->pluginApi;?>";//不能含有index.php
 		var selfHost = '<?php echo $this->pluginHost;?>';
 		var cacheFile= '<?php echo $config["cacheFile"];?>';

plugins/zipView/static/zipView.js

@@ -122,13 +122,13 @@ define(function(require, exports) {
 					}
 					var item = tree[i];
 					tree[i] = {
-						name:core.pathThis(item.filename),
+						name:htmlEncode(htmlRemoveTags(core.pathThis(item.filename))),
 						filePath:item.filename,
 						path:currentFileUrl+'&index='+item.index+"&name=/"+urlEncode(item.filename),
 						isParent:!!(item.child),
 						type:item.folder?'folder':'file',
 						menuType:item['folder']?'menu-zip-list-folder':'menu-zip-list-file',
-						ext:core.pathExt(item.filename),
+						ext:htmlEncode(htmlRemoveTags(core.pathExt(item.filename))),
 						mtime:item.mtime,
 						index:item.index,
 						size:item.size,
@@ -562,7 +562,7 @@ define(function(require, exports) {
 				initDataView(treeID,treeData,data,path);
 				Tips.close(LNG.success,true);
 			},[
-				'pathTools.strSort','trim','rtrim','ltrim','urlEncode','urlDecode','$.isNumeric',
+				'pathTools.strSort','trim','rtrim','ltrim','htmlEncode','htmlRemoveTags','urlEncode','urlDecode','$.isNumeric',
 				{'core.pathFather':coreCode.pathFather},
 				{'core.pathClear':coreCode.pathClear},
 				{'core.pathThis':coreCode.pathThis},

static/js/lib/util.js

@@ -2946,7 +2946,20 @@ var htmlEncode=function(str){
 	return s;
 }
 var htmlDecode=function(str){
-	var temp = document.createElement("div");
+	var s = "";
+	if(!str || str.length == 0) return "";
+	s = str.replace(/&/g,"&");
+	s = s.replace(/&lt;/g,"<");
+	s = s.replace(/&gt;/g,">");
+	s = s.replace(/&nbsp;/g," ");
+	s = s.replace(/&#39;/g,"\'");
+	s = s.replace(/&quot;/g,"\"");
+	return s;
+
+	//IE会丢失换行; 
+	if(!str) return str;
+	if(str.match(/[<& '">]/)) return str;//避免xss风
+	var temp = document.createElement("pre"); 
 	temp.innerHTML = str;
 	var output = temp.innerText || temp.textContent;
 	temp = null;