Example #1
0
/**
 * Pre-block the codes which may be hacking attempts
 *
 * @param string $content Taget content
 * @return string
 */
function removeHackTag($content)
{
    require_once _XE_PATH_ . 'classes/security/EmbedFilter.class.php';
    $oEmbedFilter = EmbedFilter::getInstance();
    $oEmbedFilter->check($content);
    purifierHtml($content);
    // change the specific tags to the common texts
    $content = preg_replace('@<(\\/?(?:html|body|head|title|meta|base|link|script|style|applet)(/*).*?>)@i', '&lt;$1', $content);
    /**
     * Remove codes to abuse the admin session in src by tags of imaages and video postings
     * - Issue reported by Sangwon Kim
     */
    $content = preg_replace_callback('@<(/?)([a-z]+[0-9]?)((?>"[^"]*"|\'[^\']*\'|[^>])*?\\b(?:on[a-z]+|data|style|background|href|(?:dyn|low)?src)\\s*=[\\s\\S]*?)(/?)($|>|<)@i', 'removeSrcHack', $content);
    $content = checkXmpTag($content);
    $content = blockWidgetCode($content);
    return $content;
}
Example #2
0
 private function _getWhiteDomainRegx()
 {
     require_once _XE_PATH_ . 'classes/security/EmbedFilter.class.php';
     $oEmbedFilter = EmbedFilter::getInstance();
     $whiteIframeUrlList = $oEmbedFilter->getWhiteIframeUrlList();
     $whiteDomainRegex = '%^(';
     $whiteDomainCount = count($whiteIframeUrlList);
     $i = 1;
     if (is_array($whiteIframeUrlList)) {
         foreach ($whiteIframeUrlList as $value) {
             $whiteDomainRegex .= $value;
             if ($i < $whiteDomainCount) {
                 $whiteDomainRegex .= '|';
             }
             $i++;
         }
     }
     $whiteDomainRegex .= ')%';
     return $whiteDomainRegex;
 }
 function procAdminUpdateEmbedWhitelist()
 {
     $vars = Context::getRequestVars();
     $db_info = Context::getDbInfo();
     $white_object = $vars->embed_white_object;
     $white_object = preg_replace("/[\r\n|\r|\n]+/", '|@|', $white_object);
     $white_object = preg_replace("/[\\s\\'\"]+/", '', $white_object);
     $white_object = explode('|@|', $white_object);
     $white_object = array_unique($white_object);
     $white_iframe = $vars->embed_white_iframe;
     $white_iframe = preg_replace("/[\r\n|\r|\n]+/", '|@|', $white_iframe);
     $white_iframe = preg_replace("/[\\s\\'\"]+/", '', $white_iframe);
     $white_iframe = explode('|@|', $white_iframe);
     $white_iframe = array_unique($white_iframe);
     $whitelist = new stdClass();
     $whitelist->object = $white_object;
     $whitelist->iframe = $white_iframe;
     $db_info->embed_white_object = $white_object;
     $db_info->embed_white_iframe = $white_iframe;
     $oInstallController = getController('install');
     if (!$oInstallController->makeConfigFile()) {
         return new Object(-1, 'msg_invalid_request');
     }
     require_once _XE_PATH_ . 'classes/security/EmbedFilter.class.php';
     $oEmbedFilter = EmbedFilter::getInstance();
     $oEmbedFilter->_makeWhiteDomainList($whitelist);
     if (!in_array(Context::getRequestMethod(), array('XMLRPC', 'JSON'))) {
         $returnUrl = Context::get('success_return_url');
         if (!$returnUrl) {
             $returnUrl = getNotEncodedUrl('', 'act', 'dispAdminConfigGeneral');
         }
         header('location:' . $returnUrl);
         return;
     }
 }
Example #4
0
 /**
  * Display Configuration(settings) page
  * @return void
  */
 function dispAdminConfigGeneral()
 {
     Context::loadLang('modules/install/lang');
     $db_info = Context::getDBInfo();
     Context::set('selected_lang', $db_info->lang_type);
     if (strpos($db_info->default_url, 'xn--') !== FALSE) {
         $db_info->default_url = Context::decodeIdna($db_info->default_url);
     }
     Context::set('default_url', $db_info->default_url);
     Context::set('langs', Context::loadLangSupported());
     // site lock
     Context::set('IP', $_SERVER['REMOTE_ADDR']);
     if (!$db_info->sitelock_title) {
         $db_info->sitelock_title = 'Maintenance in progress...';
     }
     if (!in_array('127.0.0.1', $db_info->sitelock_whitelist)) {
         $db_info->sitelock_whitelist[] = '127.0.0.1';
     }
     if (!in_array($_SERVER['REMOTE_ADDR'], $db_info->sitelock_whitelist)) {
         $db_info->sitelock_whitelist[] = $_SERVER['REMOTE_ADDR'];
     }
     $db_info->sitelock_whitelist = array_unique($db_info->sitelock_whitelist);
     Context::set('remote_addr', $_SERVER['REMOTE_ADDR']);
     Context::set('use_sitelock', $db_info->use_sitelock);
     Context::set('sitelock_title', $db_info->sitelock_title);
     Context::set('sitelock_message', htmlspecialchars($db_info->sitelock_message, ENT_COMPAT | ENT_HTML401, 'UTF-8', false));
     $whitelist = implode("\r\n", $db_info->sitelock_whitelist);
     Context::set('sitelock_whitelist', $whitelist);
     if ($db_info->admin_ip_list) {
         $admin_ip_list = implode("\r\n", $db_info->admin_ip_list);
     } else {
         $admin_ip_list = '';
     }
     Context::set('admin_ip_list', $admin_ip_list);
     Context::set('lang_selected', Context::loadLangSelected());
     $oAdminModel = getAdminModel('admin');
     $favicon_url = $oAdminModel->getFaviconUrl();
     $mobicon_url = $oAdminModel->getMobileIconUrl();
     Context::set('favicon_url', $favicon_url . '?' . $_SERVER['REQUEST_TIME']);
     Context::set('mobicon_url', $mobicon_url . '?' . $_SERVER['REQUEST_TIME']);
     $oDocumentModel = getModel('document');
     $config = $oDocumentModel->getDocumentConfig();
     Context::set('thumbnail_type', $config->thumbnail_type);
     $oModuleModel = getModel('module');
     $config = $oModuleModel->getModuleConfig('module');
     Context::set('siteTitle', $config->siteTitle);
     Context::set('htmlFooter', htmlspecialchars($config->htmlFooter));
     // embed filter
     require_once _XE_PATH_ . 'classes/security/EmbedFilter.class.php';
     $oEmbedFilter = EmbedFilter::getInstance();
     context::set('embed_white_object', implode(PHP_EOL, $oEmbedFilter->whiteUrlList));
     context::set('embed_white_iframe', implode(PHP_EOL, $oEmbedFilter->whiteIframeUrlList));
     $columnList = array('modules.mid', 'modules.browser_title', 'sites.index_module_srl');
     $start_module = $oModuleModel->getSiteInfo(0, $columnList);
     Context::set('start_module', $start_module);
     Context::set('pwd', $pwd);
     $this->setTemplateFile('config_general');
     $security = new Security();
     $security->encodeHTML('news..', 'released_version', 'download_link', 'selected_lang', 'module_list..', 'module_list..author..', 'addon_list..', 'addon_list..author..', 'start_module.');
 }
Example #5
0
 private function _getWhiteDomainRegexp()
 {
     $oEmbedFilter = EmbedFilter::getInstance();
     $whiteIframeUrlList = $oEmbedFilter->getWhiteIframeUrlList();
     $whiteDomains = array();
     foreach ($whiteIframeUrlList as $domain) {
         $whiteDomains[] = preg_quote($domain, '%');
     }
     return '%^https?://(' . implode('|', $whiteDomains) . ')%';
 }
Example #6
0
 private function _getWhiteDomainRegx()
 {
     $oEmbedFilter = EmbedFilter::getInstance();
     $whiteIframeUrlList = $oEmbedFilter->getWhiteIframeUrlList();
     $whiteDomain = array();
     foreach ($whiteIframeUrlList as $value) {
         $whiteDomain[] = preg_quote($value, '%');
     }
     $whiteDomainRegex = '%^(' . implode('|', $whiteDomain) . ')%';
     return $whiteDomainRegex;
 }
Example #7
0
 /**
  * Display Security Settings page
  * @return void
  */
 function dispAdminConfigSecurity()
 {
     // Load embed filter.
     $oEmbedFilter = EmbedFilter::getInstance();
     context::set('embedfilter_iframe', implode(PHP_EOL, $oEmbedFilter->whiteIframeUrlList));
     context::set('embedfilter_object', implode(PHP_EOL, $oEmbedFilter->whiteUrlList));
     // Admin IP access control
     $allowed_ip = Rhymix\Framework\Config::get('admin.allow');
     Context::set('admin_allowed_ip', implode(PHP_EOL, $allowed_ip));
     $denied_ip = Rhymix\Framework\Config::get('admin.deny');
     Context::set('admin_denied_ip', implode(PHP_EOL, $denied_ip));
     Context::set('remote_addr', RX_CLIENT_IP);
     $this->setTemplateFile('config_security');
 }