From: <se...@us...> - 2008-07-30 12:54:21
|
Revision: 13961 http://tikiwiki.svn.sourceforge.net/tikiwiki/?rev=13961&view=rev Author: sept_7 Date: 2008-07-30 12:54:29 +0000 (Wed, 30 Jul 2008) Log Message: ----------- [ENH] : minimize the call to preg_replace and calculate search pattern only once where applicable. Modified Paths: -------------- branches/2.0/lib/setup/sanitization.php Modified: branches/2.0/lib/setup/sanitization.php =================================================================== --- branches/2.0/lib/setup/sanitization.php 2008-07-30 09:46:18 UTC (rev 13960) +++ branches/2.0/lib/setup/sanitization.php 2008-07-30 12:54:29 UTC (rev 13961) @@ -1,36 +1,51 @@ <?php +// $Id: compatibility.php 13491 2008-07-10 09:20:32Z lphuberdeau $ +// Copyright (c) 2002-2007, Luis Argerich, Garland Foster, Eduardo Polidor, +// et. al. All Rights Reserved. +// See copyright.txt for details and a complete list of authors. +// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. +// See license.txt for details. -// $Id: compatibility.php 13491 2008-07-10 09:20:32Z lphuberdeau $ -// Copyright (c) 2002-2007, Luis Argerich, Garland Foster, Eduardo Polidor, et. al. -// All Rights Reserved. See copyright.txt for details and a complete list of authors. -// Licensed under the GNU LESSER GENERAL PUBLIC LICENSE. See license.txt for -// details. $access->check_script($_SERVER["SCRIPT_NAME"],basename(__FILE__)); -/* RemoveXSS initially developped by kallahar - quickwired.com, modified for TikiWiki - * Original code can be found here: http://quickwired.com/smallprojects/php_xss_filter_function.php +/* RemoveXSS initially developped by kallahar - quickwired.com, + * modified for TikiWiki Original code can be found here: + * http://quickwired.com/smallprojects/php_xss_filter_function.php */ function RemoveXSS($val) { - // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed - // this prevents some character re-spacing such as <java\0script> - // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs - $val = preg_replace(array('/([\x00-\x08])/','/([\x0b-\x0c])/','/([\x0e-\x19])/'), '', $val); + static $patterns = NULL; + static $replacements = NULL; + // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are + // allowed this prevents some character re-spacing such as <java\0script> + // note that you have to handle splits with \n, \r, and \t later since they + // *are* allowed in some inputs + $val = preg_replace('/([\x00-\x08\x0b-\x0c\x0e-\x19])/', '', $val); - // straight replacements, the user should never need these since they're normal characters - // this prevents like <IMG SRC=@avascript:alert('XSS')> - $search = 'abcdefghijklmnopqrstuvwxyz'; - $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; - $search .= '1234567890!@#$%^&*()'; - $search .= '~`";:?+/={}[]-_|\'\\'; - for ($i = 0; $i < strlen($search); $i++) { - // ;? matches the ;, which is optional - // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars - - // @ @ search for the hex values - $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; - // @ @ 0{0,7} matches '0' zero to seven times - $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; + // straight replacements, the user should never need these since they're + // normal characters this prevents like + // <IMG SRC=@avascript:alert('XSS')> + // Calculate the search and replace patterns only once + if ($patterns == NULL or $replacements == NULL) { + $search = 'abcdefghijklmnopqrstuvwxyz'; + $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; + $search .= '1234567890!@#$%^&*()'; + $search .= '~`";:?+/={}[]-_|\'\\'; + $patterns = array(); + $replacements = array(); + for ($i = 0; $i < strlen($search); $i++) { + // ;? matches the ;, which is optional + // 0{0,7} matches any padded zeros, + // which are optional and go up to 8 chars + // @ @ search for the hex values + $patterns[] = '/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i'; + $replacements[] = $search[$i]; + // @ @ 0{0,7} matches '0' zero to seven times + // with a ; + $patterns[] = '/(�{0,8}'.ord($search[$i]).';?)/'; + $replacements[] = $search[$i]; + } } + $val = preg_replace($patterns, $replacements, $val); // now the only remaining whitespace attacks are \t, \n, and \r $ra_as_tag_only = array('style', 'script', 'embed', 'object', 'applet', 'meta', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'base'); @@ -53,6 +68,8 @@ function RemoveXSSregexp(&$ra, &$val, $prefix = '', $suffix = '', $allow_spaces = false) { $val_before = $val; $found = true; + $patterns = array(); + $replacements = array(); $pattern_sep = '(' . '(&#[xX]0{0,8}([9ab]);)' @@ -89,12 +106,16 @@ } $pattern .= $pattern_end; $replacement = ( $prefix != '' ) ? '\\1' : ''; - $replacement .= substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag - $val = preg_replace($pattern, $replacement.$replacement_end, $val); // filter out the hex tags - if ($val_before == $val) { - // no replacements were made, so exit the loop - $found = false; - } + // add in <> to nerf the tag + $replacement .= substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); + $patterns[] = $pattern; + $replacements[] = $replacement.$replacement_end; } + // filter out the hex tags + $val = preg_replace($patterns, $replacements, $val); + if ($val_before == $val) { + // no replacements were made, so exit the loop + $found = false; + } return $found; } This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |