From 96546184dc90316c9e16c8ecb368941b4807d9bc Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Thu, 2 Sep 2021 21:19:31 +0100 Subject: [PATCH] Implement simple slugify function I suspect I may have to fix a number of issues here..... --- Changelog.md | 2 +- core/05-functions.php | 10 ++++++++++ core/45-environment-deferred.php | 2 +- modules/feature-watchlist.php | 4 ++-- 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index d4b7a3e..4358c72 100644 --- a/Changelog.md +++ b/Changelog.md @@ -22,7 +22,7 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t ## Fixed - [security] Fixed some potential XSS attacks in the page editor - [security] Fix stored XSS attack in the wiki name via the first run wizard [CVE-2021-38600](https://github.com/hmaverickadams/CVE-2021-38600); low severity since it requires the site secret to do the initial setup & said initial setup can only be performed once - - [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the `action` GET parameter. + - [security] Fix reflected XSS attack (arbitrary code execution in the user's browser) via the `action` & `action=watchlist&return=blah` GET parameters. - Fixed a weird bug in the `stats-update` action causing warnings - search: Properly apply weightings of matches in page titles and tags - Improved error handling on first run where the PHP Zip extension is not installed diff --git a/core/05-functions.php b/core/05-functions.php index da4311a..f63bf03 100644 --- a/core/05-functions.php +++ b/core/05-functions.php @@ -316,6 +316,16 @@ function makepathsafe($string) return $string; } +/** + * Slugifies a given string such that it can only contain a-z0-9-_. + * Also automatically makes it lowercase. + * @param string $text The text to operate on. + * @return string The slugified string. + */ +function slugify(string $text) : string { + return preg_replace("/[^a-zA-Z0-9\-_]", "", $text); +} + /** * Hides an email address from bots. Returns a fragment of HTML that contains the mangled email address. * @package core diff --git a/core/45-environment-deferred.php b/core/45-environment-deferred.php index ca80bde..fbe1087 100644 --- a/core/45-environment-deferred.php +++ b/core/45-environment-deferred.php @@ -28,4 +28,4 @@ if($env->is_history_revision) else if(isset($pageindex->{$env->page})) $env->page_filename .= $pageindex->{$env->page}->filename; -$env->action = preg_replace("/[^a-z0-9\-_]/", "", strtolower($_GET["action"])); +$env->action = slugify($_GET["action"]); diff --git a/modules/feature-watchlist.php b/modules/feature-watchlist.php index 7a78272..3995049 100644 --- a/modules/feature-watchlist.php +++ b/modules/feature-watchlist.php @@ -5,7 +5,7 @@ register_module([ "name" => "User watchlists", - "version" => "0.1.3", + "version" => "0.1.4", "author" => "Starbeamrainbowlabs", "description" => "Adds per-user watchlists. When a page on a user's watchlist is edited, a notification email is sent.", "id" => "feature-watchlist", @@ -145,7 +145,7 @@ register_module([ http_response_code(401); header("x-status: failed"); header("x-problem: not-logged-in"); - exit(page_renderer::render_main("Not logged in - $settings->sitename", "

Only logged in users can have watchlists. Try logging in.

")); + exit(page_renderer::render_main("Not logged in - $settings->sitename", "

Only logged in users can have watchlists. Try logging in.

")); } if(empty($env->user_data->emailAddress)) {