From e4fa310d38a5b65602efd55e09cbe2e19ab627c3 Mon Sep 17 00:00:00 2001 From: Firesun Date: Sat, 18 Feb 2017 17:07:32 +0800 Subject: [PATCH] =?UTF-8?q?Version=203.5.1=201.=20=E5=8D=87=E7=BA=A7PHPMai?= =?UTF-8?q?ler=E8=87=B35.2.22=202.=20=E5=AE=89=E8=A3=85=E5=90=8E=E5=88=A0?= =?UTF-8?q?=E9=99=A4=E6=97=A0=E7=94=A8=E6=96=87=E4=BB=B6=203.=20=E5=BC=80?= =?UTF-8?q?=E5=90=AFX-Frame-Options=EF=BC=8CX-Content-Type-Options=204.=20?= =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E4=B8=80=E7=B3=BB=E5=88=97bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Todo 修复jqxgrid的一些问题 --- PHPMailer/VERSION | 2 +- PHPMailer/class.phpmailer.php | 86 +++++++++++++++++++++++++++------ PHPMailer/class.pop3.php | 2 +- PHPMailer/class.smtp.php | 4 +- PHPMailer/extras/htmlfilter.php | 6 +-- auth.php | 4 +- install.php | 33 ++++++++++--- login.php | 8 +-- waf.php | 7 +++ 9 files changed, 115 insertions(+), 37 deletions(-) create mode 100644 waf.php diff --git a/PHPMailer/VERSION b/PHPMailer/VERSION index 1c26b6f..07b2657 100644 --- a/PHPMailer/VERSION +++ b/PHPMailer/VERSION @@ -1 +1 @@ -5.2.19 \ No newline at end of file +5.2.22 diff --git a/PHPMailer/class.phpmailer.php b/PHPMailer/class.phpmailer.php index 6afcf9a..477ee82 100644 --- a/PHPMailer/class.phpmailer.php +++ b/PHPMailer/class.phpmailer.php @@ -31,7 +31,7 @@ class PHPMailer * The PHPMailer Version number. * @var string */ - public $Version = '5.2.19'; + public $Version = '5.2.22'; /** * Email priority. @@ -1364,19 +1364,24 @@ class PHPMailer */ protected function sendmailSend($header, $body) { - if (!empty($this->Sender)) { + // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. + if (!empty($this->Sender) and self::isShellSafe($this->Sender)) { if ($this->Mailer == 'qmail') { - $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); + $sendmailFmt = '%s -f%s'; } else { - $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); + $sendmailFmt = '%s -oi -f%s -t'; } } else { if ($this->Mailer == 'qmail') { - $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail)); + $sendmailFmt = '%s'; } else { - $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail)); + $sendmailFmt = '%s -oi -t'; } } + + // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing. + $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender); + if ($this->SingleTo) { foreach ($this->SingleToArray as $toAddr) { if (!@$mail = popen($sendmail, 'w')) { @@ -1422,6 +1427,40 @@ class PHPMailer return true; } + /** + * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. + * + * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows. + * @param string $string The string to be validated + * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report + * @access protected + * @return boolean + */ + protected static function isShellSafe($string) + { + // Future-proof + if (escapeshellcmd($string) !== $string + or !in_array(escapeshellarg($string), array("'$string'", "\"$string\"")) + ) { + return false; + } + + $length = strlen($string); + + for ($i = 0; $i < $length; $i++) { + $c = $string[$i]; + + // All other characters have a special meaning in at least one common shell, including = and +. + // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. + // Note that this does permit non-Latin alphanumeric characters based on the current locale. + if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { + return false; + } + } + + return true; + } + /** * Send mail using the PHP mail() function. * @param string $header The message headers @@ -1442,7 +1481,10 @@ class PHPMailer $params = null; //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver if (!empty($this->Sender) and $this->validateAddress($this->Sender)) { - $params = sprintf('-f%s', escapeshellarg($this->Sender)); + // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. + if (self::isShellSafe($this->Sender)) { + $params = sprintf('-f%s', $this->Sender); + } } if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) { $old_from = ini_get('sendmail_from'); @@ -2450,6 +2492,7 @@ class PHPMailer /** * Add an attachment from a path on the filesystem. + * Never use a user-supplied path to a file! * Returns false if the file could not be found or read. * @param string $path Path to the attachment. * @param string $name Overrides the attachment name. @@ -2975,6 +3018,7 @@ class PHPMailer * displayed inline with the message, not just attached for download. * This is used in HTML messages that embed the images * the HTML refers to using the $cid value. + * Never use a user-supplied path to a file! * @param string $path Path to the attachment. * @param string $cid Content ID of the attachment; Use this to reference * the content when using an embedded image in HTML. @@ -3338,12 +3382,14 @@ class PHPMailer * Create a message body from an HTML string. * Automatically inlines images and creates a plain-text version by converting the HTML, * overwriting any existing values in Body and AltBody. - * $basedir is used when handling relative image paths, e.g. + * Do not source $message content from user input! + * $basedir is prepended when handling relative URLs, e.g. and must not be empty * will look for an image file in $basedir/images/a.png and convert it to inline. - * If you don't want to apply these transformations to your HTML, just set Body and AltBody yourself. + * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email) + * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly. * @access public * @param string $message HTML message string - * @param string $basedir base directory for relative paths to images + * @param string $basedir Absolute path to a base directory to prepend to relative paths to images * @param boolean|callable $advanced Whether to use the internal HTML to text converter * or your own custom converter @see PHPMailer::html2text() * @return string $message The transformed message Body @@ -3352,6 +3398,10 @@ class PHPMailer { preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images); if (array_key_exists(2, $images)) { + if (strlen($basedir) > 1 && substr($basedir, -1) != '/') { + // Ensure $basedir has a trailing / + $basedir .= '/'; + } foreach ($images[2] as $imgindex => $url) { // Convert data URIs into embedded images if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) { @@ -3369,18 +3419,24 @@ class PHPMailer $message ); } - } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[a-z][a-z0-9+.-]*://#i', $url)) { - // Do not change urls for absolute images (thanks to corvuscorax) + continue; + } + if ( + // Only process relative URLs if a basedir is provided (i.e. no absolute local paths) + !empty($basedir) + // Ignore URLs containing parent dir traversal (..) + && (strpos($url, '..') === false) // Do not change urls that are already inline images + && substr($url, 0, 4) !== 'cid:' + // Do not change absolute URLs, including anonymous protocol + && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url) + ) { $filename = basename($url); $directory = dirname($url); if ($directory == '.') { $directory = ''; } $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2 - if (strlen($basedir) > 1 && substr($basedir, -1) != '/') { - $basedir .= '/'; - } if (strlen($directory) > 1 && substr($directory, -1) != '/') { $directory .= '/'; } diff --git a/PHPMailer/class.pop3.php b/PHPMailer/class.pop3.php index 32d614b..f10e688 100644 --- a/PHPMailer/class.pop3.php +++ b/PHPMailer/class.pop3.php @@ -34,7 +34,7 @@ class POP3 * @var string * @access public */ - public $Version = '5.2.19'; + public $Version = '5.2.22'; /** * Default POP3 port number. diff --git a/PHPMailer/class.smtp.php b/PHPMailer/class.smtp.php index 04ced65..8932117 100644 --- a/PHPMailer/class.smtp.php +++ b/PHPMailer/class.smtp.php @@ -30,7 +30,7 @@ class SMTP * The PHPMailer SMTP version number. * @var string */ - const VERSION = '5.2.19'; + const VERSION = '5.2.22'; /** * SMTP line break constant. @@ -81,7 +81,7 @@ class SMTP * @deprecated Use the `VERSION` constant instead * @see SMTP::VERSION */ - public $Version = '5.2.19'; + public $Version = '5.2.22'; /** * SMTP server port number. diff --git a/PHPMailer/extras/htmlfilter.php b/PHPMailer/extras/htmlfilter.php index 7727487..a86ef57 100644 --- a/PHPMailer/extras/htmlfilter.php +++ b/PHPMailer/extras/htmlfilter.php @@ -433,7 +433,7 @@ function tln_getnxtag($body, $offset) * * @param string $attvalue the by-ref value to check. * @param string $regex the regular expression to check against. - * @param boolean $hex whether the entites are hexadecimal. + * @param boolean $hex whether the entities are hexadecimal. * @return boolean True or False depending on whether there were matches. */ function tln_deent(&$attvalue, $regex, $hex = false) @@ -772,7 +772,7 @@ function tln_fixstyle($body, $pos, $trans_image_path, $block_external_images) tln_defang($contentTemp); tln_unspace($contentTemp); - $match = Array('/\/\*.*\*\//', + $match = array('/\/\*.*\*\//', '/expression/i', '/behaviou*r/i', '/binding/i', @@ -780,7 +780,7 @@ function tln_fixstyle($body, $pos, $trans_image_path, $block_external_images) '/javascript/i', '/script/i', '/position/i'); - $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); + $replace = array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { $content = $contentNew; diff --git a/auth.php b/auth.php index 3c8439d..a46c633 100644 --- a/auth.php +++ b/auth.php @@ -31,6 +31,4 @@ if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_I } //开启CSP -header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'"); -header("X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'"); -header("X-WebKit-CSP: default-src 'self'; style-src 'self' 'unsafe-inline';img-src 'self' data:; frame-src 'none'"); \ No newline at end of file +require_once("waf.php"); diff --git a/install.php b/install.php index 39cd6af..f1f9245 100644 --- a/install.php +++ b/install.php @@ -5,9 +5,7 @@ ignore_user_abort(true); //检测是否已经安装 if ( file_exists('config.php') ) { display_header(); - - @unlink($_SERVER['SCRIPT_FILENAME']); - @unlink('config-sample.php'); + delTempFiles(); die( '

已安装

请勿重复安装!

登录

' ); } @@ -181,12 +179,11 @@ CONFIG; if ( $error === false ) { //重加密记录 - modify_js_desc($my_js_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type); - modify_js_desc($js_template_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type); + modifyJsDesc($my_js_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type); + modifyJsDesc($js_template_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type); //安装完成,自杀 - @unlink($_SERVER['SCRIPT_FILENAME']); - @unlink('config-sample.php'); + delTempFiles(); ?> @@ -426,7 +423,7 @@ function stripStr($str) { } //js描述重加密 -function modify_js_desc($path,$old_encrypt_enable,$old_encrypt_pass,$old_encrypt_type,$new_encrypt_enable,$new_encrypt_pass, $new_encrypt_type) { +function modifyJsDesc($path,$old_encrypt_enable,$old_encrypt_pass,$old_encrypt_type,$new_encrypt_enable,$new_encrypt_pass, $new_encrypt_type) { $files = glob($path . '/*.js'); foreach ($files as $file){ //由于可能有中文名,故使用正则来提取文件名 @@ -483,4 +480,24 @@ function decrypt($info,$encrypt_enable,$encrypt_pass,$encrypt_type) { return $info; } +//删除目录及目录下所有文件 +function delTree($dir) { + $files = array_diff(scandir($dir), array('.','..')); + foreach ($files as $file) { + (is_dir("$dir/$file")) ? delTree("$dir/$file") : unlink("$dir/$file"); + } + return rmdir($dir); +} + +//删除临时文件 +function delTempFiles() { + @unlink($_SERVER['SCRIPT_FILENAME']); + @unlink('config-sample.php'); + @unlink('change_encrypt_pass.php'); + @unlink('README.md'); + @unlink('LICENSE'); + @delTree('src/'); + @delTree('diff/'); + @delTree('guide/'); +} ?> \ No newline at end of file diff --git a/login.php b/login.php index b32920c..1249217 100644 --- a/login.php +++ b/login.php @@ -5,9 +5,7 @@ require_once("functions.php"); require_once("dio.php"); //CSP开启 -header("Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'"); -header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'"); -header("X-WebKit-CSP: default-src 'self'; object-src 'none'; frame-src 'none'"); +require_once("waf.php"); //设置httponly ini_set("session.cookie_httponly", 1); @@ -50,7 +48,9 @@ if (!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip] <= 5) { /* 生成密码 -php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;" + +php -r '$salt="!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";$key="你的密码";$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;' + */ function checkPassword($p) { if (isset($_POST['firesunCheck']) && isset($_SESSION['firesunCheck']) && $_SESSION['firesunCheck'] != "" && $_POST['firesunCheck'] === $_SESSION['firesunCheck']) { diff --git a/waf.php b/waf.php new file mode 100644 index 0000000..e8b57a9 --- /dev/null +++ b/waf.php @@ -0,0 +1,7 @@ +