开发者

Images with BBcode (php, preg_replace). Security question

开发者 https://www.devze.com 2023-03-10 03:19 出处:网络
Bbcode question. This开发者_开发百科: $text = preg_replace(\"@\\[img\\](.*)\\[\\/img\\]@si\", \"<img src=\\\"$1\\\" border=\\\"0\\\" />\", $text);

Bbcode question. This开发者_开发百科:

$text = preg_replace("@\[img\](.*)\[\/img\]@si",
"<img src=\"$1\" border=\"0\" />", $text);

works fine, but at the same time it's a big security problem, for example:

[img]http://www.domain.com/delete-account/[/img]

or

[img]http://www.domain.com/logout/[/img]

Any ideas how to control this so that only image links which ends with .jpg are being converted into html?

[img]http://www.domain.com/image.jpg[/img]

Thanks.


According to the HTTP1.1 standard, requesting URLs with GET (the method used to acquire images) should not result in any actions, such as logout. Therefore, you don't need to restrict to URLs with a .jpg at the end, and in general, it is a bad idea because there are other image formats, and the URL is in general unrelated to its content type.

More to the point, if requesting a URL does change a state of a server vulnerable.net, this Cross Site Request Forgery Vulnerability can be exploited anyway by setting up a custom server that 302-redirects http://evil.com/img.jpg to http://vulnerable.net/logout.

FYI, if you really wanted to replace only URLs ending with .jpg, you can just insert it in the group:

$text = preg_replace("@\[img\](.*\.jpg)\[\/img\]@si",
                     "<img src=\"$1\" border=\"0\" />", $text);

But this is not a security mechanism, and fails if the browser (or a aggressively caching proxy, or a virus scanner, or ...) prefetches URLs. GET requests should not result in any action.


One way to think about this problem is as well to check on server side that GEt and POST request are not equivalent.

A POST request can alter data in server side, a GET request musn't change anything. That's the HTTP protocol. An IMG tag is a GET request, always. And the browser can perform this GET request without any risk, so the problem is on server side, every action that can change alter data (database, session, etc) must check the request is a POST one. For example your /post or /delete-account url, should return either a 403 or a 200 code but with a form page, asking for a POST confirmation. If this is wrong in your application, then you'll have problems not only with altered IMG tags, but maybe as well with 'html page speeders' that make preload of GET referecnes, or even bots.

If you can find a copy of this excellent book you may find some advanced image links problems and filtering tricks. For example links on foreign websites can sometime be a problem. But this is a problem far more complex than starting by handling GET and POST requests in a convenient way.

0

精彩评论

暂无评论...
验证码 换一张
取 消