Additional securty fixes

This commit is contained in:
RainLoop Team 2015-11-16 21:51:12 +03:00
parent f2918491d6
commit 007a03b8d4
5 changed files with 35 additions and 20 deletions

View file

@ -865,24 +865,23 @@ class HtmlUtils
$oElement->setAttribute('tabindex', '-1');
}
foreach (array(
'id', 'class',
'contenteditable', 'designmode', 'formaction',
'data-bind', 'data-reactid', 'xmlns', 'srcset',
'data-x-skip-style'
) as $sAttr)
if ($oElement->hasAttributes() && isset($oElement->attributes) && $oElement->attributes)
{
@$oElement->removeAttribute($sAttr);
}
foreach (array(
'load', 'blur', 'error', 'focus', 'formchange', 'change',
'click', 'dblclick', 'keydown', 'keypress', 'keyup',
'mousedown', 'mouseenter', 'mouseleave', 'mousemove', 'mouseout', 'mouseover', 'mouseup',
'move', 'resize', 'resizeend', 'resizestart', 'scroll', 'select', 'submit', 'upload'
) as $sAttr)
{
@$oElement->removeAttribute('on'.$sAttr);
foreach ($oElement->attributes as $oAttr)
{
if ($oAttr && !empty($oAttr->nodeName))
{
$sAttrName = \trim(\strtolower($oAttr->nodeName));
if ('on' === \substr($sAttrName, 0, 2) || in_array($sAttrName, array(
'id', 'class', 'contenteditable', 'designmode', 'formaction',
'data-bind', 'data-reactid', 'xmlns', 'srcset', 'data-x-skip-style',
'fscommand', 'seeksegmenttime'
)))
{
@$oElement->removeAttribute($oAttr->nodeName);
}
}
}
}
if ($oElement->hasAttribute('href'))

View file

@ -9182,7 +9182,8 @@ class Actions
*/
private function mainDefaultResponse($sActionName, $mResult = false, $aAdditionalParams = array())
{
$sActionName = 'Do' === substr($sActionName, 0, 2) ? substr($sActionName, 2) : $sActionName;
$sActionName = 'Do' === \substr($sActionName, 0, 2) ? \substr($sActionName, 2) : $sActionName;
$sActionName = \preg_replace('/[^a-zA-Z0-9_]+/', '', $sActionName);
$aResult = array(
'Action' => $sActionName,

View file

@ -112,6 +112,10 @@ class Api
$sSslCapath = \RainLoop\Api::Config()->Get('ssl', 'capath', '');
\RainLoop\Utils::$CookieDefaultPath = \RainLoop\Api::Config()->Get('labs', 'cookie_default_path', '');
if (\RainLoop\Api::Config()->Get('labs', 'cookie_default_secure', false))
{
\RainLoop\Utils::$CookieDefaultSecure = true;
}
if (!empty($sSslCafile) || !empty($sSslCapath))
{

View file

@ -355,6 +355,7 @@ Enables caching in the system'),
'use_local_proxy_for_external_images' => array(false),
'detect_image_exif_orientation' => array(true),
'cookie_default_path' => array(''),
'cookie_default_secure' => array(false),
'startup_url' => array(''),
'emogrifier' => array(true),
'dev_email' => array(''),

View file

@ -9,6 +9,11 @@ class Utils
*/
static $CookieDefaultPath = '';
/**
* @var bool|null
*/
static $CookieDefaultSecure = null;
static $Cookies = null;
static $RSA = null;
@ -530,7 +535,7 @@ class Utils
return isset(\RainLoop\Utils::$Cookies[$sName]) ? \RainLoop\Utils::$Cookies[$sName] : $mDefault;
}
public static function SetCookie($sName, $sValue = '', $iExpire = 0, $sPath = null, $sDomain = null, $sSecure = null, $bHttpOnly = true)
public static function SetCookie($sName, $sValue = '', $iExpire = 0, $sPath = null, $sDomain = null, $bSecure = null, $bHttpOnly = true)
{
if (null === \RainLoop\Utils::$Cookies)
{
@ -543,8 +548,13 @@ class Utils
$sPath = $sPath && 0 < \strlen($sPath) ? $sPath : null;
}
if (null === $bSecure)
{
$bSecure = \RainLoop\Utils::$CookieDefaultSecure;
}
\RainLoop\Utils::$Cookies[$sName] = $sValue;
@\setcookie($sName, $sValue, $iExpire, $sPath, $sDomain, $sSecure, $bHttpOnly);
@\setcookie($sName, $sValue, $iExpire, $sPath, $sDomain, $bSecure, $bHttpOnly);
}
public static function ClearCookie($sName)