From db388d9a147a3ef2ff4aa98dbe8a45be7d9ac2bc Mon Sep 17 00:00:00 2001 From: Svein-Tore Griff With Date: Wed, 17 Jul 2013 11:41:23 +0200 Subject: [PATCH] OPPG-470: Fixed several (potential) security problems The biggest problem was that no filtering was done on lists because list values wasn't passed by referende through foreach Also made sure lists where lists and keys where numbers Made sure libraries only have library and semantics properties --- h5p.classes.php | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/h5p.classes.php b/h5p.classes.php index bd7a331..e15b3a5 100644 --- a/h5p.classes.php +++ b/h5p.classes.php @@ -1379,8 +1379,16 @@ class H5PContentValidator { array_splice($list, $semantics->max); } + if (!is_array($list)) { + $list = array(); + } + // Validate each element in list. - foreach ($list as $key => $value) { + foreach ($list as $key => &$value) { + if (!is_int($key)) { + unset($list[$key]); + continue; + } $this->$function($value, $field); } } @@ -1508,12 +1516,27 @@ class H5PContentValidator { $this->semanticsCache[$value->library] = $librarySemantics; } $this->validateBySemantics($value->params, $librarySemantics); + $this->filterParams($value, array('library', 'params')); } else { $this->h5pF->setErrorMessage($this->h5pF->t('Library used in content is not a valid library according to semantics')); + $value = new stdClass(); } } + /** + * Check params for a whitelist of allowed properties + * + * @param array/object $params + * @param array $whitelist + */ + public function filterParams(&$params, $whitelist) { + foreach ($params as $key => $value) { + if (!in_array($key, $whitelist)) { + unset($params->{$key}); + } + } + } // XSS filters copied from drupal 7 common.inc. Some modifications done to // replace Drupal one-liner functions with corresponding flat PHP.