From 058f8a11687f979e597c6f32b1836535ba5b4b88 Mon Sep 17 00:00:00 2001 From: ahaber Date: Tue, 29 Apr 2014 11:05:23 +0200 Subject: [PATCH 1/4] fixed XSS for non existing bib files --- bibtexbrowser.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bibtexbrowser.php b/bibtexbrowser.php index e4a1e95..edf2475 100755 --- a/bibtexbrowser.php +++ b/bibtexbrowser.php @@ -238,15 +238,15 @@ function _zetDB($bibtex_filenames) { // ---------------------------- HANDLING unexistent files foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) { - + $saveBib = htmlEntities($bib, ENT_QUOTES); // get file extension to only allow .bib files - $ext = pathinfo($bib, PATHINFO_EXTENSION); + $ext = pathinfo($saveBib, PATHINFO_EXTENSION); // this is a security protection - if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) { + if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($saveBib) || strcasecmp($ext, 'bib') != 0)) { // to automate dectection of faulty links with tools such as webcheck header('HTTP/1.1 404 Not found'); - die('the bib file '.$bib.' does not exist !'); + die('the bib file '.$saveBib.' does not exist !'); } } // end for each From 0c7bbef30c2745a8d00691b68c751a5e04558862 Mon Sep 17 00:00:00 2001 From: ahaber Date: Tue, 29 Apr 2014 11:17:12 +0200 Subject: [PATCH 2/4] comment + more reasonable variable name --- bibtexbrowser.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/bibtexbrowser.php b/bibtexbrowser.php index edf2475..2dddb8c 100755 --- a/bibtexbrowser.php +++ b/bibtexbrowser.php @@ -238,15 +238,16 @@ function _zetDB($bibtex_filenames) { // ---------------------------- HANDLING unexistent files foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) { - $saveBib = htmlEntities($bib, ENT_QUOTES); + // escape $bib to prevent XSS + $escapedBib = htmlEntities($bib, ENT_QUOTES); // get file extension to only allow .bib files - $ext = pathinfo($saveBib, PATHINFO_EXTENSION); + $ext = pathinfo($escapedBib, PATHINFO_EXTENSION); // this is a security protection - if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($saveBib) || strcasecmp($ext, 'bib') != 0)) { + if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($escapedBib) || strcasecmp($ext, 'bib') != 0)) { // to automate dectection of faulty links with tools such as webcheck header('HTTP/1.1 404 Not found'); - die('the bib file '.$saveBib.' does not exist !'); + die('the bib file '.$escapedBib.' does not exist !'); } } // end for each From c932e59129e2d8b8fed7eec280ec26eacd3b7aac Mon Sep 17 00:00:00 2001 From: ahaber Date: Tue, 29 Apr 2014 13:43:13 +0200 Subject: [PATCH 3/4] only escape html output to (theoretical) support special characters in file names --- bibtexbrowser.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/bibtexbrowser.php b/bibtexbrowser.php index 2dddb8c..de82798 100755 --- a/bibtexbrowser.php +++ b/bibtexbrowser.php @@ -238,15 +238,14 @@ function _zetDB($bibtex_filenames) { // ---------------------------- HANDLING unexistent files foreach(explode(MULTIPLE_BIB_SEPARATOR, $bibtex_filenames) as $bib) { - // escape $bib to prevent XSS - $escapedBib = htmlEntities($bib, ENT_QUOTES); // get file extension to only allow .bib files - $ext = pathinfo($escapedBib, PATHINFO_EXTENSION); + $ext = pathinfo($bib, PATHINFO_EXTENSION); // this is a security protection - if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($escapedBib) || strcasecmp($ext, 'bib') != 0)) { - + if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) { // to automate dectection of faulty links with tools such as webcheck header('HTTP/1.1 404 Not found'); + // escape $bib to prevent XSS + $escapedBib = htmlEntities($bib, ENT_QUOTES); die('the bib file '.$escapedBib.' does not exist !'); } } // end for each From 48b78f5772d9aa7af8d4fb7a0b826b173e9e03e5 Mon Sep 17 00:00:00 2001 From: ahaber Date: Mon, 5 May 2014 12:29:59 +0200 Subject: [PATCH 4/4] aligned with clean_xss_fix branch --- bibtexbrowser.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bibtexbrowser.php b/bibtexbrowser.php index de82798..fe4764f 100755 --- a/bibtexbrowser.php +++ b/bibtexbrowser.php @@ -242,11 +242,11 @@ function _zetDB($bibtex_filenames) { $ext = pathinfo($bib, PATHINFO_EXTENSION); // this is a security protection if (BIBTEXBROWSER_LOCAL_BIB_ONLY && (!file_exists($bib) || strcasecmp($ext, 'bib') != 0)) { - // to automate dectection of faulty links with tools such as webcheck - header('HTTP/1.1 404 Not found'); - // escape $bib to prevent XSS - $escapedBib = htmlEntities($bib, ENT_QUOTES); - die('the bib file '.$escapedBib.' does not exist !'); + // to automate dectection of faulty links with tools such as webcheck + header('HTTP/1.1 404 Not found'); + // escape $bib to prevent XSS + $escapedBib = htmlEntities($bib, ENT_QUOTES); + die('the bib file '.$escapedBib.' does not exist !'); } } // end for each