Security issue: Encoding of GUID in itemcache to avoid directory bypassing with a malificious formatted GUID.

This commit is contained in:
Michael Vogel 2014-09-27 12:49:00 +02:00
parent 4ec5974074
commit 459fc2fabd
5 changed files with 7 additions and 5 deletions

View file

@ -1412,7 +1412,7 @@ function item_store($arr,$force_parent = false, $notify = false) {
if (!$deleted) { if (!$deleted) {
// Store the fresh generated item into the cache // Store the fresh generated item into the cache
$cachefile = get_cachefile($arr["guid"]."-".hash("md5", $arr['body'])); $cachefile = get_cachefile(urlencode($arr["guid"])."-".hash("md5", $arr['body']));
if (($cachefile != '') AND !file_exists($cachefile)) { if (($cachefile != '') AND !file_exists($cachefile)) {
$s = prepare_text($arr['body']); $s = prepare_text($arr['body']);

View file

@ -26,7 +26,7 @@ function create_tags_from_item($itemid) {
if ($message["deleted"]) if ($message["deleted"])
return; return;
$cachefile = get_cachefile($message["guid"]."-".hash("md5", $message['body'])); $cachefile = get_cachefile(urlencode($message["guid"])."-".hash("md5", $message['body']));
if (($cachefile != '') AND !file_exists($cachefile)) { if (($cachefile != '') AND !file_exists($cachefile)) {
$s = prepare_text($message['body']); $s = prepare_text($message['body']);

View file

@ -1330,8 +1330,7 @@ function prepare_body(&$item,$attach = false, $preview = false) {
$item['mentions'] = $mentions; $item['mentions'] = $mentions;
//$cachefile = get_cachefile($item["guid"]."-".strtotime($item["edited"])."-".hash("crc32", $item['body'])); $cachefile = get_cachefile(urlencode($item["guid"])."-".hash("md5", $item['body']));
$cachefile = get_cachefile($item["guid"]."-".hash("md5", $item['body']));
if (($cachefile != '')) { if (($cachefile != '')) {
if (file_exists($cachefile)) { if (file_exists($cachefile)) {

View file

@ -807,7 +807,7 @@ function item_post(&$a) {
file_tag_update_pconfig($uid,$categories_old,$categories_new,'category'); file_tag_update_pconfig($uid,$categories_old,$categories_new,'category');
// Store the fresh generated item into the cache // Store the fresh generated item into the cache
$cachefile = get_cachefile($datarray["guid"]."-".hash("md5", $datarray['body'])); $cachefile = get_cachefile(urlencode($datarray["guid"])."-".hash("md5", $datarray['body']));
if (($cachefile != '') AND !file_exists($cachefile)) { if (($cachefile != '') AND !file_exists($cachefile)) {
$s = prepare_text($datarray['body']); $s = prepare_text($datarray['body']);

View file

@ -186,6 +186,9 @@ function parseurl_getsiteinfo($url, $no_guessing = false, $do_oembed = true, $co
case "twitter:image": case "twitter:image":
$siteinfo["image"] = $attr["content"]; $siteinfo["image"] = $attr["content"];
break; break;
case "twitter:image:src":
$siteinfo["image"] = $attr["content"];
break;
case "twitter:card": case "twitter:card":
if (($siteinfo["type"] == "") OR ($attr["content"] == "photo")) if (($siteinfo["type"] == "") OR ($attr["content"] == "photo"))
$siteinfo["type"] = $attr["content"]; $siteinfo["type"] = $attr["content"];