Changeset 937

Show
Ignore:
Timestamp:
04/10/07 16:19:24 (1 year ago)
Author:
Rickard
Message:

Moved template tag replacement of pun_include to the top of all replacements to prevent exploitation via XSS vulnerabilities. On top of this, all included files must have one of the file extensions .php, .php4, .php5, .inc, .html, .htm or .txt.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/docs/faq.html

    r226 r937  
    466466 
    467467    <dd>The script banner.php must be located in the user include 
    468     directory mentioned above. PunBB will execute the script and 
    469     the pun_include variable will be replaced by any output that 
    470     the script produces. Please note that all included scripts have 
    471     access to the PunBB variables, so if you e.g. wanted to access 
    472     the database, you could use the $db object just like the rest of 
    473     PunBB does. Replacement of the pun_include variable is the last 
    474     thing that PunBB does when it outputs a page, so you don't have 
    475     to worry about not using variable names that PunBB uses.</dd> 
     468    directory mentioned above and its file extension must be .php, 
     469    .php4, .php5, .inc, .htm, .html or .txt. PunBB will execute the 
     470    script and the pun_include variable will be replaced by any 
     471    output that the script produces. Please note that all included 
     472    scripts have access to the PunBB variables, so if you e.g. 
     473    wanted to access the database, you could use the $db object just 
     474    like the rest of PunBB does. Be careful when dealing with global 
     475    variables in included scripts so that they don't collide with 
     476    PunBB's global variables.</dd> 
    476477 
    477478    <dt>3.5 - I want to display information from the forums on my 

  • trunk/upload/footer.php

    r208 r937  
    140140 
    141141 
    142 // START SUBST - <pun_include "*"> 
    143 while (preg_match('#<pun_include "([^/\\\\]*?)">#', $tpl_main, $cur_include)) 
    144 { 
    145         if (!file_exists(PUN_ROOT.'include/user/'.$cur_include[1])) 
    146                 error('Unable to process user include &lt;pun_include "'.htmlspecialchars($cur_include[1]).'"&gt; from template main.tpl. There is no such file in folder /include/user/'); 
    147  
    148         ob_start(); 
    149         include PUN_ROOT.'include/user/'.$cur_include[1]; 
    150         $tpl_temp = ob_get_contents(); 
    151         $tpl_main = str_replace($cur_include[0], $tpl_temp, $tpl_main); 
    152     ob_end_clean(); 
    153 } 
    154 // END SUBST - <pun_include "*"> 
    155  
    156  
    157142// Close the db connection (and free up any result data) 
    158143$db->close(); 

  • trunk/upload/header.php

    r335 r937  
    4242else 
    4343        $tpl_main = file_get_contents(PUN_ROOT.'include/template/main.tpl'); 
     44 
     45 
     46// START SUBST - <pun_include "*"> 
     47while (preg_match('#<pun_include "([^/\\\\]*?)\.(php[45]?|inc|html?|txt)">#', $tpl_main, $cur_include)) 
     48{ 
     49        if (!file_exists(PUN_ROOT.'include/user/'.$cur_include[1].'.'.$cur_include[2])) 
     50                error('Unable to process user include '.htmlspecialchars($cur_include[0]).' from template main.tpl. There is no such file in folder /include/user/'); 
     51 
     52        ob_start(); 
     53        include PUN_ROOT.'include/user/'.$cur_include[1].'.'.$cur_include[2]; 
     54        $tpl_temp = ob_get_contents(); 
     55        $tpl_main = str_replace($cur_include[0], $tpl_temp, $tpl_main); 
     56    ob_end_clean(); 
     57} 
     58// END SUBST - <pun_include "*"> 
    4459 
    4560 

  • trunk/upload/include/functions.php

    r933 r937  
    783783 
    784784 
     785        // START SUBST - <pun_include "*"> 
     786        while (preg_match('#<pun_include "([^/\\\\]*?)\.(php[45]?|inc|html?|txt)">#', $tpl_maint, $cur_include)) 
     787        { 
     788                if (!file_exists(PUN_ROOT.'include/user/'.$cur_include[1].'.'.$cur_include[2])) 
     789                        error('Unable to process user include '.htmlspecialchars($cur_include[0]).' from template maintenance.tpl. There is no such file in folder /include/user/'); 
     790 
     791                ob_start(); 
     792                include PUN_ROOT.'include/user/'.$cur_include[1].'.'.$cur_include[2]; 
     793                $tpl_temp = ob_get_contents(); 
     794                $tpl_maint = str_replace($cur_include[0], $tpl_temp, $tpl_maint); 
     795            ob_end_clean(); 
     796        } 
     797        // END SUBST - <pun_include "*"> 
     798 
     799 
    785800        // START SUBST - <pun_content_direction> 
    786801        $tpl_maint = str_replace('<pun_content_direction>', $lang_common['lang_direction'], $tpl_maint); 
     
    821836 
    822837 
    823         // START SUBST - <pun_include "*"> 
    824         while (preg_match('#<pun_include "([^/\\\\]*?)">#', $tpl_maint, $cur_include)) 
    825         { 
    826                 if (!file_exists(PUN_ROOT.'include/user/'.$cur_include[1])) 
    827                         error('Unable to process user include &lt;pun_include "'.htmlspecialchars($cur_include[1]).'"&gt; from template maintenance.tpl. There is no such file in folder /include/user/'); 
    828  
    829                 ob_start(); 
    830                 include PUN_ROOT.'include/user/'.$cur_include[1]; 
    831                 $tpl_temp = ob_get_contents(); 
    832                 $tpl_maint = str_replace($cur_include[0], $tpl_temp, $tpl_maint); 
    833             ob_end_clean(); 
    834         } 
    835         // END SUBST - <pun_include "*"> 
    836  
    837  
    838838        // Close the db connection (and free up any result data) 
    839839        $db->close(); 
     
    860860        // Load the redirect template 
    861861        $tpl_redir = trim(file_get_contents(PUN_ROOT.'include/template/redirect.tpl')); 
     862 
     863 
     864        // START SUBST - <pun_include "*"> 
     865        while (preg_match('#<pun_include "([^/\\\\]*?)\.(php[45]?|inc|html?|txt)">#', $tpl_redir, $cur_include)) 
     866        { 
     867                if (!file_exists(PUN_ROOT.'include/user/'.$cur_include[1].'.'.$cur_include[2])) 
     868                        error('Unable to process user include '.htmlspecialchars($cur_include[0]).' from template redirect.tpl. There is no such file in folder /include/user/'); 
     869 
     870                ob_start(); 
     871                include PUN_ROOT.'include/user/'.$cur_include[1].'.'.$cur_include[2]; 
     872                $tpl_temp = ob_get_contents(); 
     873                $tpl_redir = str_replace($cur_include[0], $tpl_temp, $tpl_redir); 
     874            ob_end_clean(); 
     875        } 
     876        // END SUBST - <pun_include "*"> 
    862877 
    863878 
     
    912927        ob_end_clean(); 
    913928        // END SUBST - <pun_footer> 
    914  
    915  
    916         // START SUBST - <pun_include "*"> 
    917         while (preg_match('#<pun_include "([^/\\\\]*?)">#', $tpl_redir, $cur_include)) 
    918         { 
    919                 if (!file_exists(PUN_ROOT.'include/user/'.$cur_include[1])) 
    920                         error('Unable to process user include &lt;pun_include "'.htmlspecialchars($cur_include[1]).'"&gt; from template redirect.tpl. There is no such file in folder /include/user/'); 
    921  
    922                 ob_start(); 
    923                 include PUN_ROOT.'include/user/'.$cur_include[1]; 
    924                 $tpl_temp = ob_get_contents(); 
    925                 $tpl_redir = str_replace($cur_include[0], $tpl_temp, $tpl_redir); 
    926             ob_end_clean(); 
    927         } 
    928         // END SUBST - <pun_include "*"> 
    929929 
    930930