OPPG-470: Fixed several (potential) security problems

The biggest problem was that no filtering was done on lists because list values wasn't passed by referende through foreach Also made sure lists where lists and keys where numbers Made sure libraries only have library and semantics properties
2013-07-17 11:41:23 +02:00 · 2013-07-17 11:41:23 +02:00 · db388d9a14
parent 46e4d67c06
commit db388d9a14
1 changed files with 24 additions and 1 deletions
--- a/h5p.classes.php
+++ b/h5p.classes.php
@ -1379,8 +1379,16 @@ class H5PContentValidator {
      array_splice($list, $semantics->max);
    }

+    if (!is_array($list)) {
+      $list = array();
+    }
+
    // Validate each element in list.
-    foreach ($list as $key => $value) {
+    foreach ($list as $key => &$value) {
+      if (!is_int($key)) {
+        unset($list[$key]);
+        continue;
+      }
      $this->$function($value, $field);
    }
  }
@ -1508,12 +1516,27 @@ class H5PContentValidator {
        $this->semanticsCache[$value->library] = $librarySemantics;
      }
      $this->validateBySemantics($value->params, $librarySemantics);
+      $this->filterParams($value, array('library', 'params'));
    }
    else {
      $this->h5pF->setErrorMessage($this->h5pF->t('Library used in content is not a valid library according to semantics'));
+      $value = new stdClass();
    }
  }

+  /**
+   * Check params for a whitelist of allowed properties
+   *
+   * @param array/object $params
+   * @param array $whitelist
+   */
+  public function filterParams(&$params, $whitelist) {
+    foreach ($params as $key => $value) {
+      if (!in_array($key, $whitelist)) {
+        unset($params->{$key});
+      }
+    }
+  }

  // XSS filters copied from drupal 7 common.inc. Some modifications done to
  // replace Drupal one-liner functions with corresponding flat PHP.