Getsimple : exotic char causes website crash

Par Mathieu le vendredi 15 mars 2013, 08:29 - Hacks - Lien permanent

Input sanitizing while editing pages is not efficient in GetSimple, incorrect char such as NULL or EOT corrupt XML files and crashes the CMS :

Warning: simplexml_load_string(): Entity: line 106: parser error : CData section not finished

Here is a patch :

--- admin/inc/basic.php
+++ admin/inc/basic.php
@@ -654,8 +654,15 @@
     } else {
         $text = htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
     }
-    $text = str_replace(chr(12), '', $text);
-    $text = str_replace(chr(3), ' ', $text);
+    $badchars = array();
+    for ($code = 0; $code < 32; $code++) {
+        $badchars[] = chr($code);
+    }
+    unset($badchars[13]);
+    unset($badchars[10]);
+    $text = str_replace($badchars, '', $text);
+    //$text = str_replace(chr(12), '', $text);
+    //$text = str_replace(chr(3), ' ', $text);
     return $text;
 }

Note that it does not fixes the corrupted XML files, it prevents the corrupted files to appear.

# uname -a

Getsimple : exotic char causes website crash

Recherche

À retenir

Catégories

Pages