lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-03 14:10:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix formatImg() security issue

Browse Source
This commit is contained in:
xiaomlove
2023-07-19 02:32:02 +08:00
parent 61cb2bb6bb
commit 30aae54673
3 changed files with 17 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/constants.php
View File

@@ -1,6 +1,6 @@
<?php
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.8.5');
defined('RELEASE_DATE') || define('RELEASE_DATE', '2023-07-15');
defined('RELEASE_DATE') || define('RELEASE_DATE', '2023-07-19');
defined('IN_TRACKER') || define('IN_TRACKER', false);
defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");

6
include/functions.php
View File

@@ -229,6 +229,12 @@ function formatCode($text) {
}
function formatImg($src, $enableImageResizer, $image_max_width, $image_max_height, $imgId = "") {
if (is_danger_url($src)) {
$msg = "[DANGER_URL]: $src";
do_log($msg, "alert");
write_log($msg, "mod");
return "";
}
return addTempCode("<img style=\"max-width: 100%\" id=\"$imgId\" alt=\"image\" src=\"$src\"" .($enableImageResizer ? " onload=\"Scale(this,$image_max_width,$image_max_height);\" onclick=\"Preview(this);\"" : "") . " />");
}

10
include/globalfunctions.php
View File

@@ -1195,3 +1195,13 @@ function has_role_work_seeding($uid)
return $result;
}
function is_danger_url($url): bool
{
$dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|take.*)\.php/i";
$match = preg_match($dangerScriptsPattern, $url);
if ($match > 0) {
return true;
}
return false;
}