1
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-16 21:48:14 +01:00

Properly use HMAC for secure munging.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang 2013-09-13 21:16:50 -07:00
parent fac747bdbd
commit cf44f399f8
6 changed files with 12 additions and 7 deletions

2
NEWS
View File

@ -10,6 +10,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
==========================
4.6.0, unknown release date
# Secure URI munge hashing algorithm has changed to hash_hmac("sha256", $url, $secret).
Please update any verification scripts you may have.
# URI parsing algorithm was made more strict, so only prefixes which
looks like schemes will actually be schemes. Thanks
Michael Gusev <mgusev@sugarcrm.com> for fixing.

View File

@ -11,7 +11,7 @@ DEFAULT: NULL
to check if a URI has passed through HTML Purifier with this line:
</p>
<pre>$checksum === sha1($secret_key . ':' . $url)</pre>
<pre>$checksum === hash_hmac("sha256", $url, $secret_key)</pre>
<p>
If the output is TRUE, the redirector script should accept the URI.

View File

@ -47,6 +47,9 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
$this->parser = new HTMLPurifier_URIParser();
$this->doEmbed = $config->get('URI.MungeResources');
$this->secretKey = $config->get('URI.MungeSecretKey');
if ($this->secretKey && !function_exists('hash_hmac')) {
trigger_error("Cannot use %URI.MungeSecretKey without hash_hmac support.", E_USER_ERROR);
}
return true;
}
@ -104,7 +107,7 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
$this->replace['%p'] = $context->get('CurrentCSSProperty', true);
// not always available
if ($this->secretKey) {
$this->replace['%t'] = sha1($this->secretKey . ':' . $string);
$this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey);
}
}
}

View File

@ -6,6 +6,6 @@ URI.MungeResources = true
<a href="http://example.com">Link</a>
<img src="http://example.com" style="background-image:url(http://example.com);" alt="example.com" />
--EXPECT--
<a href="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=&amp;n=a&amp;m=href&amp;p=">Link</a>
<img src="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=1&amp;n=img&amp;m=src&amp;p=" style="background-image:url(&quot;/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=1&amp;n=img&amp;m=style&amp;p=background-image&quot;);" alt="example.com" />
<a href="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c763c4a30204eee8470a3292e0f0cd91a639654d039d45f1495a50207847e954&amp;r=&amp;n=a&amp;m=href&amp;p=">Link</a>
<img src="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c763c4a30204eee8470a3292e0f0cd91a639654d039d45f1495a50207847e954&amp;r=1&amp;n=img&amp;m=src&amp;p=" style="background-image:url(&quot;/redirect?s=http%3A%2F%2Fexample.com&amp;t=c763c4a30204eee8470a3292e0f0cd91a639654d039d45f1495a50207847e954&amp;r=1&amp;n=img&amp;m=style&amp;p=background-image&quot;);" alt="example.com" />
--# vim: et sw=4 sts=4

View File

@ -5,6 +5,6 @@ URI.MungeSecretKey = "foo"
<a href="http://localhost">foo</a>
<img src="http://localhost" alt="local" />
--EXPECT--
<a href="/redirect.php?url=http%3A%2F%2Flocalhost&amp;check=8e8223ae8fac24561104180ea549c21fbd111be7">foo</a>
<a href="/redirect.php?url=http%3A%2F%2Flocalhost&amp;check=c0efad89696082f5cb925d28636b0f4260f346391c92c70c8e9eba72591c2a73">foo</a>
<img src="http://localhost" alt="local" />
--# vim: et sw=4 sts=4

View File

@ -107,7 +107,7 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
public function testSecureMungeStandard()
{
$this->setSecureMunge();
$this->assertFiltering('http://google.com', '/redirect.php?url=http%3A%2F%2Fgoogle.com&checksum=0072e2f817fd2844825def74e54443debecf0892');
$this->assertFiltering('http://google.com', '/redirect.php?url=http%3A%2F%2Fgoogle.com&checksum=46267a796aca0ea5839f24c4c97ad2648373a4eca31b1c0d1fa7c7ff26798f79');
}
public function testSecureMungeIgnoreUnknownSchemes()
@ -127,7 +127,7 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
{
$this->setSecureMunge();
$this->setMunge('/links/%s/%t');
$this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/0072e2f817fd2844825def74e54443debecf0892');
$this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/46267a796aca0ea5839f24c4c97ad2648373a4eca31b1c0d1fa7c7ff26798f79');
}
public function testMungeIgnoreSameDomain()