Skip to content

Commit

Permalink
Applied appropriate javascript and html escaping in mailto plugin to …
Browse files Browse the repository at this point in the history
…counter injection attacks

Fixes #454
  • Loading branch information
wisskid committed Sep 14, 2022
1 parent 25051e6 commit f1f7ee6
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 12 deletions.
5 changes: 4 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Fixes
### Security
- Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks [#454](https://github.com/smarty-php/smarty/issues/454)

### Fixed
- Fixed use of `rand()` without a parameter in math function [#794](https://github.com/smarty-php/smarty/issues/794)

## [3.1.46] - 2022-08-01
Expand Down
26 changes: 17 additions & 9 deletions libs/plugins/function.mailto.php
Original file line number Diff line number Diff line change
Expand Up @@ -48,28 +48,33 @@
*/
function smarty_function_mailto($params)
{
static $_allowed_encoding =
array('javascript' => true, 'javascript_charcode' => true, 'hex' => true, 'none' => true);
static $_allowed_encoding = array(
'javascript' => true,
'javascript_charcode' => true,
'hex' => true,
'none' => true
);

$extra = '';
if (empty($params[ 'address' ])) {
trigger_error("mailto: missing 'address' parameter", E_USER_WARNING);
return;
} else {
$address = $params[ 'address' ];
}

$text = $address;

// netscape and mozilla do not decode %40 (@) in BCC field (bug?)
// so, don't encode it.
$search = array('%40', '%2C');
$replace = array('@', ',');
$mail_parms = array();
foreach ($params as $var => $value) {
switch ($var) {
case 'cc':
case 'bcc':
case 'followupto':
if (!empty($value)) {
$mail_parms[] = $var . '=' . str_replace($search, $replace, rawurlencode($value));
$mail_parms[] = $var . '=' . str_replace(array('%40', '%2C'), array('@', ','), rawurlencode($value));
}
break;
case 'subject':
Expand All @@ -83,6 +88,7 @@ function smarty_function_mailto($params)
default:
}
}

if ($mail_parms) {
$address .= '?' . join('&', $mail_parms);
}
Expand All @@ -94,19 +100,21 @@ function smarty_function_mailto($params)
);
return;
}

$string = '<a href="mailto:' . htmlspecialchars($address, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) .
'" ' . $extra . '>' . htmlspecialchars($text, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, Smarty::$_CHARSET) . '</a>';

if ($encode === 'javascript') {
$string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
$js_encode = '';
for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
$js_encode .= '%' . bin2hex($string[ $x ]);
}
return '<script type="text/javascript">document.write(unescape(\'' . $js_encode . '\'))</script>';
} elseif ($encode === 'javascript_charcode') {
$string = '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
for ($x = 0, $_length = strlen($string); $x < $_length; $x++) {
$ord[] = ord($string[ $x ]);
}
return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
return '<script type="text/javascript">document.write(String.fromCharCode(' . implode(',', $ord) . '))</script>';
} elseif ($encode === 'hex') {
preg_match('!^(.*)(\?.*)$!', $address, $match);
if (!empty($match[ 2 ])) {
Expand All @@ -129,6 +137,6 @@ function smarty_function_mailto($params)
return '<a href="' . $mailto . $address_encode . '" ' . $extra . '>' . $text_encode . '</a>';
} else {
// no encoding
return '<a href="mailto:' . $address . '" ' . $extra . '>' . $text . '</a>';
return $string;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -150,17 +150,34 @@ public function testExtraWithoutMbstring()

public function testUmlauts()
{
$result = '<a href="mailto:[email protected][email protected],[email protected]&subject=h%C3%A4llo%20w%C3%B6rld" >[email protected]</a>';
$result = '<a href="mailto:[email protected][email protected],[email protected]&amp;subject=h%C3%A4llo%20w%C3%B6rld" >[email protected]</a>';
$tpl = $this->smarty->createTemplate('eval:{mailto address="[email protected]" cc="[email protected],[email protected]" subject="hällo wörld"}');
$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
}

public function testUmlautsWithoutMbstring()
{
Smarty::$_MBSTRING = false;
$result = '<a href="mailto:[email protected][email protected],[email protected]&subject=h%C3%A4llo%20w%C3%B6rld" >[email protected]</a>';
$result = '<a href="mailto:[email protected][email protected],[email protected]&amp;subject=h%C3%A4llo%20w%C3%B6rld" >[email protected]</a>';
$tpl = $this->smarty->createTemplate('eval:{mailto address="[email protected]" cc="[email protected],[email protected]" subject="hällo wörld"}');
$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
Smarty::$_MBSTRING = true;
}

public function testJavascriptChars()
{
$result = '<script type="text/javascript">document.write(unescape(\'%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%22%20%3e%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%71%75%6f%74%3b%26%67%74%3b%6d%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%26%23%30%33%39%3b%29%3b%20%61%6c%65%72%74%28%26%71%75%6f%74%3b%69%6e%6a%65%63%74%69%6f%6e%26%71%75%6f%74%3b%29%3b%20%2f%2f%3c%2f%61%3e\'))</script>';
$this->smarty->assign('address', '[email protected]">[email protected]\'); alert("injection"); //');
$tpl = $this->smarty->createTemplate('eval:{mailto address=$address encode=javascript}');
$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
}

public function testHtmlChars()
{
$result = '<a href="mailto:[email protected]&quot;&gt;&lt;h1&gt;" class="email">[email protected]&quot;&gt;&lt;h1&gt;</a>';
$this->smarty->assign('address', '[email protected]"><h1>');
$tpl = $this->smarty->createTemplate('eval:{mailto address=$address extra=\'class="email"\'}');
$this->assertEquals(str_replace("\r", '', $result), $this->smarty->fetch($tpl));
}

}

0 comments on commit f1f7ee6

Please sign in to comment.