From 80f77a93b5d96cca70dadb4fea40a224d4b387cd Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Thu, 2 Sep 2021 22:50:00 +0100 Subject: [PATCH] feature-comments: fix potential XSS --- Changelog.md | 7 +------ modules/feature-comments.php | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 17 deletions(-) diff --git a/Changelog.md b/Changelog.md index 2d34a5d..2ec5265 100644 --- a/Changelog.md +++ b/Changelog.md @@ -22,12 +22,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t ## Fixed - [security] Fixed some potential XSS attacks in the page editor - [security] Fix stored XSS attack in the wiki name via the first run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once - - [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the following GET parameters - - `action` - - `action=watchlist-edit`: `returnto`, `do` - - `action=watchlist`: `format` - - `action=hash`: `string` - - `action=protect`: `page` + - [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the many different GET parameters - [security] Automatically run page titles through `htmlentities()` - Fixed a weird bug in the `stats-update` action causing warnings - search: Properly apply weightings of matches in page titles and tags diff --git a/modules/feature-comments.php b/modules/feature-comments.php index f6c9811..5c34e10 100644 --- a/modules/feature-comments.php +++ b/modules/feature-comments.php @@ -5,7 +5,7 @@ register_module([ "name" => "Page Comments", - "version" => "0.3.3", + "version" => "0.3.4", "author" => "Starbeamrainbowlabs", "description" => "Adds threaded comments to the bottom of every page.", "id" => "feature-comments", @@ -58,12 +58,12 @@ register_module([ $message_length = strlen($message); if($message_length < $settings->comment_min_length) { http_response_code(422); - exit(page_renderer::render_main("Error posting comment - $settings->sitename", "

Your comment couldn't be posted because it was too short. $settings->sitename needs at $settings->comment_min_length characters in a comment in order to post it.

")); + exit(page_renderer::render_main("Error posting comment - $settings->sitename", "

Your comment couldn't be posted because it was too short. $settings->sitename needs at ".htmlentities($settings->comment_min_length)." characters in a comment in order to post it.

")); } if($message_length > $settings->comment_max_length) { http_response_code(422); - exit(page_renderer::renderer_main("Error posting comment - $settings->sitename", "

Your comment couldn't be posted because it was too long. $settings->sitenamae can only post comments that are up to $settings->comment_max_length characters in length, and yours was $message_length characters. Try splitting it up into multiple comments! Here's the comment you tried to post:

- ")); + exit(page_renderer::renderer_main("Error posting comment - $settings->sitename", "

Your comment couldn't be posted because it was too long. $settings->sitename can only post comments that are up to ".htmlentities($settings->comment_max_length)." characters in length, and yours was $message_length characters. Try splitting it up into multiple comments! Here's the comment you tried to post:

+ ")); } // Figure out where the comments are stored @@ -92,7 +92,7 @@ register_module([ if($parent_comment === false) { http_response_code(422); exit(page_renderer::render_main("Error posting comment - $settings->sitename", "

$settings->sitename couldn't post your comment because it couldn't find the parent comment you replied to. It's possible that $settings->admindetails_name, $settings->sitename's administrator, deleted the comment. Here's the comment you tried to post:

- ")); + ")); } $parent_comment->replies[] = $new_comment; @@ -141,7 +141,7 @@ register_module([ http_response_code(307); header("location: ?action=view&page=" . rawurlencode($env->page) . "&commentsuccess=yes#comment-$new_comment->id"); - exit(page_renderer::render_main("Comment posted successfully - $settings->sitename", "

Your comment on $env->page was posted successfully. If your browser doesn't redirect you automagically, please click here to go to the comment you posted on the page you were viewing.

")); + exit(page_renderer::render_main("Comment posted successfully - $settings->sitename", "

Your comment on $env->page_safe was posted successfully. If your browser doesn't redirect you automagically, please click here to go to the comment you posted on the page you were viewing.

")); }); @@ -192,20 +192,20 @@ register_module([ $comment_to_delete = find_comment($comments, $target_id); if($comment_to_delete->username !== $env->user && !$env->is_admin) { http_response_code(401); - exit(page_renderer::render_main("Error - Deleting Comment - $settings->sitename", "

You can't delete the comment with the id " . htmlentities($target_id) . " on the page $env->page because you're logged in as " . page_renderer::render_username($env->user) . ", and " . page_renderer::render_username($comment_to_delete->username) . " made that comment. Try Logging out and then logging in again as " . page_renderer::render_username($comment_to_delete->username) . ", or as a moderator or better.")); + exit(page_renderer::render_main("Error - Deleting Comment - $settings->sitename", "

You can't delete the comment with the id " . htmlentities($target_id) . " on the page $env->page_safe because you're logged in as " . page_renderer::render_username($env->user) . ", and " . page_renderer::render_username($comment_to_delete->username) . " made that comment. Try Logging out and then logging in again as " . page_renderer::render_username($comment_to_delete->username) . ", or as a moderator or better.")); } if(!delete_comment($comments, $_GET["delete_id"])) { http_response_code(404); - exit(page_renderer::render_main("Comment not found - Deleting Comment - $settings->sitename", "

The comment with the id " . htmlentities($_GET["delete_id"]) . " on the page $env->page wasn't found. Perhaps it was already deleted?

")); + exit(page_renderer::render_main("Comment not found - Deleting Comment - $settings->sitename", "

The comment with the id " . htmlentities($_GET["delete_id"]) . " on the page $env->page_safe wasn't found. Perhaps it was already deleted?

")); } if(!file_put_contents($comment_filename, json_encode($comments))) { http_response_code(503); - exit(page_renderer::render_main("Server Error - Deleting Comment - $settings->sitename", "

While $settings->sitename was able to delete the comment with the id " . htmlentities($target_id) . " on the page $env->page, it couldn't save the changes back to disk. Please contact " . hide_email($settings->admindetails_email, $settings->admindetails_name) . ", $settings->sitename's local friendly administrator about this issue.

")); + exit(page_renderer::render_main("Server Error - Deleting Comment - $settings->sitename", "

While $settings->sitename was able to delete the comment with the id " . htmlentities($target_id) . " on the page $env->page_safe, it couldn't save the changes back to disk. Please contact " . hide_email($settings->admindetails_email, $settings->admindetails_name) . ", $settings->sitename's local friendly administrator about this issue.

")); } - exit(page_renderer::render_main("Comment Deleted - $settings->sitename", "

The comment with the id " . htmlentities($target_id) . " on the page $env->page has been deleted successfully. Go back to " . htmlentities($env->page) . ".

")); + exit(page_renderer::render_main("Comment Deleted - $settings->sitename", "

The comment with the id " . htmlentities($target_id) . " on the page $env->page_safe has been deleted successfully. Go back to $env->page_safe.

")); }); /** * @api {post} ?action=comments-fetch&page={page_name} Fetch the comments for a page @@ -238,7 +238,7 @@ register_module([ if(!file_exists($comments_filename)) { http_response_code(404); header("content-type: text/plain"); - exit("Error: No comments file was found for the page '$env->page'."); + exit("Error: No comments file was found for the page '$env->page_safe'."); } $comments_data = json_decode(file_get_contents($comments_filename));