Hack me! -- template security
Posted: Sat Jun 12, 2004 5:39 pm
Here is a simple class that can be extended for more functionality. It is responsible for making my templates secure for later being "included()".
I wrote a templating class during latest fall that did it all in one big fat ugly class. I am rewriting it now, with more and smaller classes. I stole the regex from my old version and immediately discovered a security hole
. It was about the <script language="php"></script> style php tags (that I hate). I improved it so I at least can't break it myself.
So, the class goes like this:And here is a test script:Anyone seeing any more holes?
Gotta be secure...
I wrote a templating class during latest fall that did it all in one big fat ugly class. I am rewriting it now, with more and smaller classes. I stole the regex from my old version and immediately discovered a security hole
So, the class goes like this:
Code: Select all
<?php
//Filename: class.tplsecurity.php
class tplsecurity
{
var $strTemplate;
function tplsecurity(& $strTemplate)
{
$this->strTemplate = & $strTemplate;
}
/**
* @return void
* @desc operates on $this->strTemplate and disables any PHP code in it.
*/
function stripPHP()
{
$this->strTemplate = preg_replace(
'@(?i)'.
'(<%(php)?)'. // small asp-style php tag
'|'.
'(<\?(?!xml\s))'. // small php tag, but leave xml tags untouched
'|'.
'(<script[^>]+((?i)language\s*=\s*("|'')php("|'')[^>]*>))'. //<script language="php"> php code </script> [^<]*[^>]*(/script>)
'@'
,'[parse error]'
,$this->strTemplate);
}
}
?>Code: Select all
<?php
include("class.tplsecurity.php");
header("Content-type: text/plain");
$TestString=
<<<INPUT
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login</title>
<meta name="GENERATOR" content="Quanta Plus" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<script language='php' >echo "boo boo!"; </script>
It should not just say "boo boo!" above.
If it does, there is a hole in the regex.
Also, there should not be any problem with the xml tag on the first line.
If allow short open tags is on, then the xml tag will generate a parse error in eval() below. Inserting a space before xml makes the regex catch the "<?" and disable it, so then you'll be fine.
</body>
</html>
INPUT;
$objSeq = new tplsecurity( & $TestString);
$objSeq->stripPHP();
eval("?>" . $objSeq->strTemplate);
?>Gotta be secure...