Welcome Guest, Not a member yet? Register   Sign In
Fix for a XSS bug in CI
#1

[eluser]Patrick Savalle[/eluser]
It is possible to inject code into the CSRF parameter of the CI-FORMS. This code will be send back to the browser in the reply. The preg_match in the code-snippet will fix it. Put this in /system/libraries/Security.php (replace original piece of code)

Code:
private function _csrf_set_hash()
    {
        if ($this->csrf_hash == '')
        {
            // If the cookie exists we will use it's value.  We don't necessarily want to regenerate it with
            // each page load since a page could contain embedded sub-pages causing this feature to fail
            if (isset($_COOKIE[$this->csrf_cookie_name]) AND preg_match( '#^[0-9a-f]{32}$#iS', $_COOKIE[$this->csrf_cookie_name] ) > 0)
            {
                $this->csrf_hash = $_COOKIE[$this->csrf_cookie_name];
            }
            else
            {
                $this->csrf_hash = md5(uniqid(rand(), TRUE));
            }
        }

        return $this->csrf_hash;
    }
}
#2

[eluser]marcogmonteiro[/eluser]
Did you make a pull request with this?
#3

[eluser]alexman[/eluser]
We don't use git ^^

Patch:
Code:
Index: system/core/Security.php
===================================================================
--- system/core/Security.php (revision 8)
+++ system/core/Security.php (working copy)
@@ -848,7 +848,7 @@
    // each page load since a page could contain embedded
    // sub-pages causing this feature to fail
    if (isset($_COOKIE[$this->_csrf_cookie_name]) &&
-    $_COOKIE[$this->_csrf_cookie_name] != '')
+    preg_match( '#^[0-9a-f]{32}$#iS', $_COOKIE[$this->csrf_cookie_name] ) > 0)
    {
     return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name];
    }
#4

[eluser]Patrick Savalle[/eluser]
I must admit that GIT is way above my IQ. I need all my brain capacity just to understand SVN Smile So: no. Sorry.
#5

[eluser]Patrick Savalle[/eluser]
Ah, my collegue already replied Smile He knows his shit. And my shit.
#6

[eluser]marcogmonteiro[/eluser]
if you want pm me and I can help making the pull request or I can make it myself.
#7

[eluser]alexman[/eluser]
I'm figuring it out as we speak, I see that github's web interface supports editing in your own fork, so I can make changes there..
#8

[eluser]alexman[/eluser]
This ok?
https://github.com/EllisLab/CodeIgniter/pull/1336




Theme © iAndrew 2016 - Forum software by © MyBB