bug #1679801 [core] XSS vulnerability in PMA_sanitize()

2007-03-13 14:21:31 +00:00
parent be92d591b1
commit 88c1840894
2 changed files with 27 additions and 1 deletions
--- a/2
+++ b/2
@@ -5,6 +5,8 @@ phpMyAdmin - ChangeLog
 $Id$
 $Source$

+- bug #1679801 [core] XSS vulnerability in PMA_sanitize(), thanks to sp3x SecurityReason
+
 2007-03-01 Sebastian Mendel <cybot_tm@users.sourceforge.net>
    * libraries/common.lib.php: bug #1671813 CVE-2006-1549 deep recursion crash

--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -34,7 +34,31 @@ function PMA_sanitize($message)
        '[br]'      => '<br />',
        '[/a]'      => '</a>',
    );
-    return preg_replace('/\[a@([^"@]*)@([^]"]*)\]/', '<a href="\1" target="\2">', strtr($message, $replace_pairs));
+    $sanitized_message = strtr($message, $replace_pairs);
+    $sanitized_message = preg_replace(
+        '/\[a@([^"@]*)@([^]"]*)\]/e',
+        '\'<a href="\' . PMA_sanitizeUri(\'$1\') . \'" target="\2">\'',
+        $sanitized_message);
+
+    return $sanitized_message;
 }

+/**
+ * removes javascript
+ *
+ * @uses    trim()
+ * @uses    strtolower()
+ * @uses    substr()
+ * @param   string  uri
+ */
+function PMA_sanitizeUri($uri)
+{
+    $uri = trim($uri);
+
+    if (strtolower(substr($uri, 0, 10)) === 'javascript') {
+        return '';
+    }
+
+    return $uri;
+}
 ?>