/** * Pre-block the codes which may be hacking attempts * * @param string $content Taget content * @return string */ function removeHackTag($content) { require_once _XE_PATH_ . 'classes/security/EmbedFilter.class.php'; $oEmbedFilter = EmbedFilter::getInstance(); $oEmbedFilter->check($content); purifierHtml($content); // change the specific tags to the common texts $content = preg_replace('@<(\\/?(?:html|body|head|title|meta|base|link|script|style|applet)(/*).*?>)@i', '<$1', $content); /** * Remove codes to abuse the admin session in src by tags of imaages and video postings * - Issue reported by Sangwon Kim */ $content = preg_replace_callback('@<(/?)([a-z]+[0-9]?)((?>"[^"]*"|\'[^\']*\'|[^>])*?\\b(?:on[a-z]+|data|style|background|href|(?:dyn|low)?src)\\s*=[\\s\\S]*?)(/?)($|>|<)@i', 'removeSrcHack', $content); $content = checkXmpTag($content); $content = blockWidgetCode($content); return $content; }
private function _getWhiteDomainRegx() { require_once _XE_PATH_ . 'classes/security/EmbedFilter.class.php'; $oEmbedFilter = EmbedFilter::getInstance(); $whiteIframeUrlList = $oEmbedFilter->getWhiteIframeUrlList(); $whiteDomainRegex = '%^('; $whiteDomainCount = count($whiteIframeUrlList); $i = 1; if (is_array($whiteIframeUrlList)) { foreach ($whiteIframeUrlList as $value) { $whiteDomainRegex .= $value; if ($i < $whiteDomainCount) { $whiteDomainRegex .= '|'; } $i++; } } $whiteDomainRegex .= ')%'; return $whiteDomainRegex; }
function procAdminUpdateEmbedWhitelist() { $vars = Context::getRequestVars(); $db_info = Context::getDbInfo(); $white_object = $vars->embed_white_object; $white_object = preg_replace("/[\r\n|\r|\n]+/", '|@|', $white_object); $white_object = preg_replace("/[\\s\\'\"]+/", '', $white_object); $white_object = explode('|@|', $white_object); $white_object = array_unique($white_object); $white_iframe = $vars->embed_white_iframe; $white_iframe = preg_replace("/[\r\n|\r|\n]+/", '|@|', $white_iframe); $white_iframe = preg_replace("/[\\s\\'\"]+/", '', $white_iframe); $white_iframe = explode('|@|', $white_iframe); $white_iframe = array_unique($white_iframe); $whitelist = new stdClass(); $whitelist->object = $white_object; $whitelist->iframe = $white_iframe; $db_info->embed_white_object = $white_object; $db_info->embed_white_iframe = $white_iframe; $oInstallController = getController('install'); if (!$oInstallController->makeConfigFile()) { return new Object(-1, 'msg_invalid_request'); } require_once _XE_PATH_ . 'classes/security/EmbedFilter.class.php'; $oEmbedFilter = EmbedFilter::getInstance(); $oEmbedFilter->_makeWhiteDomainList($whitelist); if (!in_array(Context::getRequestMethod(), array('XMLRPC', 'JSON'))) { $returnUrl = Context::get('success_return_url'); if (!$returnUrl) { $returnUrl = getNotEncodedUrl('', 'act', 'dispAdminConfigGeneral'); } header('location:' . $returnUrl); return; } }
/** * Display Configuration(settings) page * @return void */ function dispAdminConfigGeneral() { Context::loadLang('modules/install/lang'); $db_info = Context::getDBInfo(); Context::set('selected_lang', $db_info->lang_type); if (strpos($db_info->default_url, 'xn--') !== FALSE) { $db_info->default_url = Context::decodeIdna($db_info->default_url); } Context::set('default_url', $db_info->default_url); Context::set('langs', Context::loadLangSupported()); // site lock Context::set('IP', $_SERVER['REMOTE_ADDR']); if (!$db_info->sitelock_title) { $db_info->sitelock_title = 'Maintenance in progress...'; } if (!in_array('127.0.0.1', $db_info->sitelock_whitelist)) { $db_info->sitelock_whitelist[] = '127.0.0.1'; } if (!in_array($_SERVER['REMOTE_ADDR'], $db_info->sitelock_whitelist)) { $db_info->sitelock_whitelist[] = $_SERVER['REMOTE_ADDR']; } $db_info->sitelock_whitelist = array_unique($db_info->sitelock_whitelist); Context::set('remote_addr', $_SERVER['REMOTE_ADDR']); Context::set('use_sitelock', $db_info->use_sitelock); Context::set('sitelock_title', $db_info->sitelock_title); Context::set('sitelock_message', htmlspecialchars($db_info->sitelock_message, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)); $whitelist = implode("\r\n", $db_info->sitelock_whitelist); Context::set('sitelock_whitelist', $whitelist); if ($db_info->admin_ip_list) { $admin_ip_list = implode("\r\n", $db_info->admin_ip_list); } else { $admin_ip_list = ''; } Context::set('admin_ip_list', $admin_ip_list); Context::set('lang_selected', Context::loadLangSelected()); $oAdminModel = getAdminModel('admin'); $favicon_url = $oAdminModel->getFaviconUrl(); $mobicon_url = $oAdminModel->getMobileIconUrl(); Context::set('favicon_url', $favicon_url . '?' . $_SERVER['REQUEST_TIME']); Context::set('mobicon_url', $mobicon_url . '?' . $_SERVER['REQUEST_TIME']); $oDocumentModel = getModel('document'); $config = $oDocumentModel->getDocumentConfig(); Context::set('thumbnail_type', $config->thumbnail_type); $oModuleModel = getModel('module'); $config = $oModuleModel->getModuleConfig('module'); Context::set('siteTitle', $config->siteTitle); Context::set('htmlFooter', htmlspecialchars($config->htmlFooter)); // embed filter require_once _XE_PATH_ . 'classes/security/EmbedFilter.class.php'; $oEmbedFilter = EmbedFilter::getInstance(); context::set('embed_white_object', implode(PHP_EOL, $oEmbedFilter->whiteUrlList)); context::set('embed_white_iframe', implode(PHP_EOL, $oEmbedFilter->whiteIframeUrlList)); $columnList = array('modules.mid', 'modules.browser_title', 'sites.index_module_srl'); $start_module = $oModuleModel->getSiteInfo(0, $columnList); Context::set('start_module', $start_module); Context::set('pwd', $pwd); $this->setTemplateFile('config_general'); $security = new Security(); $security->encodeHTML('news..', 'released_version', 'download_link', 'selected_lang', 'module_list..', 'module_list..author..', 'addon_list..', 'addon_list..author..', 'start_module.'); }
private function _getWhiteDomainRegexp() { $oEmbedFilter = EmbedFilter::getInstance(); $whiteIframeUrlList = $oEmbedFilter->getWhiteIframeUrlList(); $whiteDomains = array(); foreach ($whiteIframeUrlList as $domain) { $whiteDomains[] = preg_quote($domain, '%'); } return '%^https?://(' . implode('|', $whiteDomains) . ')%'; }
private function _getWhiteDomainRegx() { $oEmbedFilter = EmbedFilter::getInstance(); $whiteIframeUrlList = $oEmbedFilter->getWhiteIframeUrlList(); $whiteDomain = array(); foreach ($whiteIframeUrlList as $value) { $whiteDomain[] = preg_quote($value, '%'); } $whiteDomainRegex = '%^(' . implode('|', $whiteDomain) . ')%'; return $whiteDomainRegex; }
/** * Display Security Settings page * @return void */ function dispAdminConfigSecurity() { // Load embed filter. $oEmbedFilter = EmbedFilter::getInstance(); context::set('embedfilter_iframe', implode(PHP_EOL, $oEmbedFilter->whiteIframeUrlList)); context::set('embedfilter_object', implode(PHP_EOL, $oEmbedFilter->whiteUrlList)); // Admin IP access control $allowed_ip = Rhymix\Framework\Config::get('admin.allow'); Context::set('admin_allowed_ip', implode(PHP_EOL, $allowed_ip)); $denied_ip = Rhymix\Framework\Config::get('admin.deny'); Context::set('admin_denied_ip', implode(PHP_EOL, $denied_ip)); Context::set('remote_addr', RX_CLIENT_IP); $this->setTemplateFile('config_security'); }