From fc69fcf0ea80bc100d31d3f263bab607151fa31e Mon Sep 17 00:00:00 2001 From: daichi_otani Date: Thu, 27 Jul 2023 00:28:34 +0900 Subject: [PATCH 1/2] =?UTF-8?q?=E5=95=86=E5=93=81=E7=AE=A1=E7=90=86?= =?UTF-8?q?=E3=83=BB=E3=83=A1=E3=83=BC=E3=83=AB=E3=83=86=E3=83=B3=E3=83=97?= =?UTF-8?q?=E3=83=AC=E3=83=BC=E3=83=88=E3=81=AEXSS=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../smarty_extends/modifier.script_escape.php | 36 +++++++-- .../modifier/Modifier_ScriptEscapeTest.php | 74 +++++++++++++++++++ 2 files changed, 104 insertions(+), 6 deletions(-) create mode 100644 tests/class/modifier/Modifier_ScriptEscapeTest.php diff --git a/data/smarty_extends/modifier.script_escape.php b/data/smarty_extends/modifier.script_escape.php index 92e7ee1bf1..0e04180830 100644 --- a/data/smarty_extends/modifier.script_escape.php +++ b/data/smarty_extends/modifier.script_escape.php @@ -9,12 +9,36 @@ function smarty_modifier_script_escape($value) { if (is_array($value)) return $value; - $pattern = "/|<\/script>|javascript:|||||||<.*onmouse.*?>|(\"|').*(onmouse|onerror|onload|onclick).*=.*(\"|').*/i"; + $pattern = "|<\/script>|javascript:|||||||"; + + // 追加でサニタイズするイベント一覧 + $escapeEvents = array( + 'onmouse', + 'onclick', + 'onblur', + 'onfocus', + 'onresize', + 'onscroll', + 'ondblclick', + 'onchange', + 'onselect', + 'onsubmit', + 'onkey', + ); + + // イベント毎の正規表現を生成 + $generateHtmlTagPatterns = array_map(function($str) { + return "<(\w+)([^>]*\s)?\/?".$str."[^>]*>"; + }, $escapeEvents); + $pattern .= implode("|", $generateHtmlTagPatterns)."|"; + $pattern .= "(\"|').*(onerror|onload|".implode("|", $escapeEvents).").*=.*(\"|').*"; + + // 正規表現をまとめる + $attributesPattern = "/${pattern}/i"; + + // 置き換える文字列 $convert = '#script tag escaped#'; - if (preg_match_all($pattern, $value, $matches)) { - return preg_replace($pattern, $convert, $value); - } else { - return $value; - } + // マッチしたら文字列を置き換える + return preg_replace($attributesPattern, $convert, $value); } diff --git a/tests/class/modifier/Modifier_ScriptEscapeTest.php b/tests/class/modifier/Modifier_ScriptEscapeTest.php new file mode 100644 index 0000000000..4d32d460ad --- /dev/null +++ b/tests/class/modifier/Modifier_ScriptEscapeTest.php @@ -0,0 +1,74 @@ +'), + array('test'), + array('test'), + array('test'), + array(''), + array(''), + array(''), + array('\"onclick=\"alert(1)\"'), + array('

test

'), + array('

test

'), + array('

test

'), + array(''), + array(''), + array(''), + array(''), + array('
'), + array('
javascript:test()
'), + array(''), + array(''), + array(''), + array('
'), + array(''), + array(''), + array(''), + array(''), + array('
'), + ); + } + + public function scriptNoEscapeProvider() + { + return array( + array('

test

'), + array(''), + array('

onclick

'), + array('
test
'), + array(''), + array('

onclick="\ntest();"

'), + array('assertRegExp($pattern, $ret); + } + + /** + * @dataProvider scriptNoEscapeProvider + */ + public function testメールテンプレート_エスケープされない($value) + { + $ret = smarty_modifier_script_escape($value); + $pattern = "/#script tag escaped#/"; + $this->assertNotRegExp($pattern, $ret); + } +} From 4bfdc5a3ff8ad5fcf8145af982f4a87ccafb0a2e Mon Sep 17 00:00:00 2001 From: shinya Date: Wed, 16 Aug 2023 18:44:06 +0900 Subject: [PATCH 2/2] =?UTF-8?q?p1->p2=E3=81=AE=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- data/class/SC_Initial.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/class/SC_Initial.php b/data/class/SC_Initial.php index 26230c5ab0..1f72909a3d 100644 --- a/data/class/SC_Initial.php +++ b/data/class/SC_Initial.php @@ -35,7 +35,7 @@ class SC_Initial public function __construct() { /** EC-CUBEのバージョン */ - define('ECCUBE_VERSION', '2.17.2-p1'); + define('ECCUBE_VERSION', '2.17.2-p2'); } /**