Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

Severe bug in Security article.

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Documentation
View previous topic :: View next topic  
Author Message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Thu Jan 14, 2016 11:04 am    Post subject: Severe bug in Security article. Reply with quote

http://www.smarty.net/docs/en/advanced.features.tpl#advanced.features.security

Quote:
The expression '#https?://.*smarty.net$#i' would allow accessing the follwing URIs:


http://smarty.net/foo


http://smarty.net/foo


http://www.smarty.net/foo


http://smarty.net/foo


https://foo.bar.www.smarty.net/foo/bla?blubb=1

but deny access to these URIs:


http://smarty.com/foo (not matching top-level domain "com")


ftp://www.smarty.net/foo (not matching protocol "ftp")


http://www.smarty.net.otherdomain.com/foo (not matching end of domain "smarty.net")


But the expression will also allow access to "http://abusesmarty.net/"
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Thu Jan 14, 2016 10:31 pm    Post subject: Reply with quote

Agree, a better and more complete example would be:

Code:
'#^https?://[\w\.]*\.smarty\.net$#i'


Thanks for the heads up.
Back to top
View user's profile Send private message Visit poster's website
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Fri Jan 15, 2016 12:29 am    Post subject: Reply with quote

Your one isn't much better as it directly contradicts the article. It will i.e. disallow http://smarty.net/
Something like
Code:
#^https?://(?:\w+(?:\-\w+)?\.)*smarty\.net$#
would be correct.
Back to top
View user's profile Send private message
mohrt
Administrator


Joined: 16 Apr 2003
Posts: 7368
Location: Lincoln Nebraska, USA

PostPosted: Fri Jan 15, 2016 10:31 pm    Post subject: Reply with quote

Agree, I didn't test my expression. If you want be more correct, RFC 1123 does not allow underscores so \w is not exactly appropriate. [a-zA-Z0-9] would be.
Back to top
View user's profile Send private message Visit poster's website
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Sat Jan 16, 2016 7:58 am    Post subject: Reply with quote

Underscores are silently converted to dashes, IIRC.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Documentation All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP