From 8f13bef538e2696c4d4340bb9eed012752b121e2 Mon Sep 17 00:00:00 2001
From: mcramer <m.cramer@pixcept.de>
Date: Wed, 04 Sep 2013 04:23:04 -0400
Subject: [PATCH] - Implemented strict parsing of language files on import
---
interface/web/admin/language_import.php | 86 ++++++++++++++++++++++++++++++++++++++++++
1 files changed, 85 insertions(+), 1 deletions(-)
diff --git a/interface/web/admin/language_import.php b/interface/web/admin/language_import.php
index 285be11..df3a3f8 100644
--- a/interface/web/admin/language_import.php
+++ b/interface/web/admin/language_import.php
@@ -30,6 +30,86 @@
require_once('../../lib/config.inc.php');
require_once('../../lib/app.inc.php');
+function normalize_string($string, $quote, $allow_special = false) {
+ $escaped = false;
+ $in_string = true;
+ $new_string = '';
+
+ for($c = 0; $c < mb_strlen($string); $c++) {
+ $char = $string{$c};
+
+ if($in_string === true && $escaped === false && $char === $quote) {
+ // this marks a string end (e.g. for concatenation)
+ $in_string = false;
+ continue;
+ } elseif($in_string === false) {
+ if($escaped === false && $char === $quote) {
+ $in_string = true;
+ continue;
+ } else {
+ continue; // we strip everything from outside the string!
+ }
+ }
+
+ if($char === '"' && $escaped === true && $quote === '"') {
+ // unescape this
+ $new_string .= $char;
+ $escaped = false;
+ continue;
+ } elseif($char === "'" && $escaped === false && $quote === '"') {
+ // escape this
+ $new_string .= '\\' . $char;
+ continue;
+ }
+
+ if($escaped === true) {
+ // the next character is the escaped one.
+ if($allow_special === true && ($char === 'n' || $char === 'r' || $char === 't')) {
+ $new_string .= '\' . "\\' . $char . '" . \'';
+ } else {
+ $new_string .= '\\' . $char;
+ }
+ $escaped = false;
+ } else {
+ if($char === '\\') {
+ $escaped = true;
+ } else {
+ $new_string .= $char;
+ }
+ }
+ }
+ return $new_string;
+}
+
+function validate_line($line) {
+ $line = trim($line);
+ if($line === '' || $line === '<?php' || $line === '?>') return $line; // don't treat empty lines as malicious
+
+ $ok = preg_match('/^\s*\$wb\[(["\'])(.*?)\\1\]\s*=\s*(["\'])(.*?)\\3\s*;\s*$/', $line, $matches);
+ if(!$ok) return false; // this line has invalid form and could lead to malfunction
+
+ $keyquote = $matches[1]; // ' or "
+ $key = $matches[2];
+ if(strpos($key, '"') !== false || strpos($key, "'") !== false) return false;
+
+ $textquote = $matches[3]; // ' or "
+ $text = $matches[4];
+
+ $new_line = '$wb[\'';
+
+ // validate the language key
+ $key = normalize_string($key, $keyquote);
+
+ $new_line .= $key . '\'] = \'';
+
+ // validate this text to avoid code injection
+ $text = normalize_string($text, $textquote, true);
+
+ $new_line .= $text . '\';';
+
+ return $new_line;
+}
+
//* Check permissions for module
$app->auth->check_module_permissions('admin');
@@ -58,7 +138,9 @@
$buffer = '';
$langfile_path = '';
// all other lines
+ $ln = 1;
foreach($lines as $line) {
+ $ln++;
$parts = explode('|',$line);
if(is_array($parts) && count($parts) > 0 && $parts[0] == '--') {
// Write language file, if its not the first file
@@ -84,7 +166,9 @@
$langfile_path = trim(ISPC_WEB_PATH.'/'.$module_name.'/lib/lang/'.$file_name);
}
} else {
- $buffer .= trim($line)."\n";
+ $line = validate_line($line);
+ if($line === false) $error .= "Language file contains invalid language entry on line $ln.<br />";
+ else $buffer .= $line."\n";
}
}
}
--
Gitblit v1.9.1