modx::stripTags filtering may not work correctly #9080
Comments
|
Anonymous submitted: [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]tag]] -> [[tag]] [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]!tag]] -> [[!tag]] [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]*tag]] -> [[*tag]] I'm sorry. Parser ate tags. Combine this bug and http://tracker.modx.com/issues/9069. Or will continue to ignore the bug to write articles in the style http://modx.com/blog/2012/05/29/why-we-dont-do-powered-by-by-default/ |
|
Anonymous submitted: We can use placeholders [[++dsn]] [[++username]] and [[+password]] [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]++password]] [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]++dsn]] [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]++username]] And what a super-resistant hash and PDO do not save. It remains to find phpmyadmin |
|
bezumkin2 submitted: In fact, blame the regular expression in $sanitizePatterns at modx.class.php on line 232 @[[(.[^[[]_?)]]@si Need to change it to a more simple and reliable, such as @[[(._?)]]@si I treated all my sites with this command in server console: find -type f -name modx.class.php -exec sed -i 's#[^\[\[]##g' {} ;Use it only on you own risk! |
|
splittingred submitted: A bit of FUD here; you can't use this to get to System Settings (doesn't work). TVs and Resource Fields to seem to show; that is correct and needs fixing. However, bezumkin, your solution doesn't strip the extra [] and leaves the code injectable; that's not correct either. It should strip them all. Thoughts? |
|
gadamiak submitted: splittingred wrote:
Should any single bracket be removed or only in pairs? The simplest PCRE search pattern is "@([|])+?@" for the former and "@([[|]])+?@" for the latter. |
|
opengeek submitted: Single brackets cannot be removed, it is only tags, i.e. double brackets, that are the issue. If we strip out single brackets, it could kill a greater amount of legitimate POST data IMO. Ultimately, anything you put in the front-end should handle more detailed sanitization itself, while MODX simply tries to prevent you from pointing the gun at yourself by default. |
|
gadamiak submitted: opengeek wrote:
That's what I thought. |
|
opengeek submitted: I separated the tag pattern into two separate patterns to scrub opening and then closing tags. Seems to be much more thorough. |
|
bezumkin2 submitted: splittingred wrote:
This was a quick solution but it always remove all |
|
bezumkin2 submitted: . |
|
Anonymous submitted: 64f04d2 This is not the correct patch |
|
bezumkin2 submitted: Agel_Nash wrote:
It seems, like we need to correct modX::sanitizePatterns: public $sanitizePatterns = array(
'tags1' => '@\[\[(.*?)\]\]@si',
'tags2' => '@(\[\[|\]\])@si',
'scripts' => '@]*?>.*?</script>@si',
All tags will be stripped first, then will be processed scripts and entities. |
|
danya_postfactum submitted: What about <script>a</script > (extra space at the closing tag end)? This is valid script element. |
|
opengeek submitted: I've modified sanitize to g 8000 o through all the patterns in a loop until no matches occur on any of the patterns. This should prevent compromise through nesting different matches to take advantage of the pattern order. |
The single regex for filtering the modx tags was not sufficient for cleaning all nested combinations. Separating them into open and close tag pairs makes it much easier to completely filter the tags.
This should have always been disabled by default. Users who want this enabled will have to do so manually after 2.2.6 upgrade.
Merge branch 'release-2.2' * release-2.2: (40 commits) Bump version for 2.2.6-pl [modxcms#9178] Use PHP time for valid check in modDbRegisterMessage::getValidMessages() [modxcms#9165] Fix modError::hasError false positives when loaded via getService [modxcms#9029] Remove modRequest->loadErrorHandler dependency in runProcessor [modxcms#9156] Fix reload data for rendering multi-value TV types properly Prevent re-mapping custom Policies and Policy Templates [modxcms#7916] Fix Area functionality in Element Properties and Property Sets [modxcms#9080] Disable allow_tags_in_post System Setting on upgrade Add configcheck warning for allow_tags_in_post settings enabled fix css misprints Remove recursion in onCellDblClick() modx.grid.local.property.js Updated Dutch lexicon Remove unnecessary connector call on login tpl Update phpdoc comment Image optimization applied across distribution (changelog entry) Image Optimization Fixed copyright 2011 to 2012 [modxcms#9006] Fix ImageMagick which convert issue (PHP 5.3.2+) CS translation of updated strings in Setting Lexicon [modxcms#9080] Avoid filter order compromises in modX::sanitize() ...
* release-2.2: (23 commits) fix css misprints Remove recursion in onCellDblClick() modx.grid.local.property.js Updated Dutch lexicon Remove unnecessary connector call on login tpl Update phpdoc comment Image optimization applied across distribution (changelog entry) Image Optimization Fixed copyright 2011 to 2012 [modxcms#9006] Fix ImageMagick which convert issue (PHP 5.3.2+) CS translation of updated strings in Setting Lexicon [modxcms#9080] Avoid filter order compromises in modX::sanitize() Updating French translation [modxcms#9069] Remove math output filter Set allow_tags_in_post false in default System Settings Make sanitizeRequest handle GET vars as arrays Adjust nesting value accidentally left at 99 [modxcms#9080] Fix modX::stripTags() bugs allowing script execution vulnerability [modxcms#9080] Separate open and close tags in modX::$sanitizePatterns Replaced MODX logo in setup [modxcms#9007] Add changelog entry ... Conflicts: core/docs/changelog.txt
This should have always been disabled by default. Users who want this enabled will have to do so manually after 2.2.6 upgrade.
* release-2.2: [modxcms#8101] Add support for httpOnly session cookies in PHP 5.2+ Adding System Setting for HttpOnly cookies phpdoc comment correction [modxcms#8420] Add changelog entries for flock-independent file locking issues Bump version for 2.2.7-dev [#8423] Add multi-node support to flock-independent file locking Set log_level and log_target from xPDO constructor options Bump version for 2.2.6-pl [modxcms#9178] Use PHP time for valid check in modDbRegisterMessage::getValidMessages() [modxcms#9165] Fix modError::hasError false positives when loaded via getService [modxcms#9029] Remove modRequest->loadErrorHandler dependency in runProcessor [modxcms#9156] Fix reload data for rendering multi-value TV types properly Prevent re-mapping custom Policies and Policy Templates [modxcms#7916] Fix Area functionality in Element Properties and Property Sets [modxcms#9080] Disable allow_tags_in_post System Setting on upgrade Add configcheck warning for allow_tags_in_post settings enabled Conflicts: _build/build.sample.properties _build/build.xml _build/data/transport.core.system_settings.php core/docs/changelog.txt core/docs/version.inc.php core/model/modx/modx.class.php
Anonymous created Redmine issue ID 9080
input: [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]tag]]
output: [[tag]]
input: [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]!tag]]
output: [[!tag]]
input: [[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]_tag]]
output: [[_tag]]
$text=$modx->stripTags($text); $title=$modx->stripTags($title); $data=array("content"=>$text,"pagetitle"=>$title); //save data //.. //.. //.. // //display dataIs this normal?
For example: http://www.youtube.com/watch?v=tNlOg3MlUjk
The text was updated successfully, but these errors were encountered: