From cc2ec2a6da800ca22883089f544c4cdf314e6740 Mon Sep 17 00:00:00 2001 From: Greg Knaddison Date: Fri, 9 Oct 2015 10:16:58 -0600 Subject: [PATCH 1/5] Fix an instance of xss --- driver-testsuite/web-fixtures/issue130.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/driver-testsuite/web-fixtures/issue130.php b/driver-testsuite/web-fixtures/issue130.php index 201d9826e..90bb7ce7e 100644 --- a/driver-testsuite/web-fixtures/issue130.php +++ b/driver-testsuite/web-fixtures/issue130.php @@ -5,7 +5,7 @@ if ('1' === $_GET['p']) { echo 'Go to 2'; } else { - echo ''.$_SERVER['HTTP_REFERER'].''; + echo ''.htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES, 'UTF-8');).''; } ?> From 48f6d699bfa357722ba702723bfe344d92d7022d Mon Sep 17 00:00:00 2001 From: Greg Knaddison Date: Mon, 12 Oct 2015 08:43:04 -0600 Subject: [PATCH 2/5] Fix a few more instances of xss --- driver-testsuite/web-fixtures/advanced_form_post.php | 8 ++++++-- driver-testsuite/web-fixtures/basic_form_post.php | 7 +++---- driver-testsuite/web-fixtures/basic_get_form.php | 2 +- driver-testsuite/web-fixtures/cookie_page2.php | 2 +- driver-testsuite/web-fixtures/issue140.php | 2 +- driver-testsuite/web-fixtures/print_cookies.php | 6 ++++++ 6 files changed, 18 insertions(+), 9 deletions(-) diff --git a/driver-testsuite/web-fixtures/advanced_form_post.php b/driver-testsuite/web-fixtures/advanced_form_post.php index 755806dc6..a0ebee6df 100644 --- a/driver-testsuite/web-fixtures/advanced_form_post.php +++ b/driver-testsuite/web-fixtures/advanced_form_post.php @@ -13,11 +13,15 @@ } $_POST['agreement'] = isset($_POST['agreement']) ? 'on' : 'off'; +foreach ($_POST as $key => $value) { + unset($_POST[$key]); + $_POST[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); +} ksort($_POST); echo str_replace('>', '', var_export($_POST, true)) . "\n"; if (isset($_FILES['about']) && file_exists($_FILES['about']['tmp_name'])) { - echo $_FILES['about']['name'] . "\n"; - echo file_get_contents($_FILES['about']['tmp_name']); + echo htmlspecialchars($_FILES['about']['name'], ENT_QUOTES, 'UTF-8') . "\n"; + echo htmlspecialchars(file_get_contents($_FILES['about']['tmp_name'], ENT_QUOTES, 'UTF-8')); } else { echo "no file"; } diff --git a/driver-testsuite/web-fixtures/basic_form_post.php b/driver-testsuite/web-fixtures/basic_form_post.php index 8a5e340ef..751b27684 100644 --- a/driver-testsuite/web-fixtures/basic_form_post.php +++ b/driver-testsuite/web-fixtures/basic_form_post.php @@ -5,9 +5,8 @@ -

Anket for

- - Firstname: - Lastname: +

Anket for

+ Firstname: + Lastname: diff --git a/driver-testsuite/web-fixtures/basic_get_form.php b/driver-testsuite/web-fixtures/basic_get_form.php index a0b35166e..a84a2f83c 100644 --- a/driver-testsuite/web-fixtures/basic_get_form.php +++ b/driver-testsuite/web-fixtures/basic_get_form.php @@ -8,7 +8,7 @@

Basic Get Form Page

- +
diff --git a/driver-testsuite/web-fixtures/cookie_page2.php b/driver-testsuite/web-fixtures/cookie_page2.php index 22bcd1be1..97e5297e8 100644 --- a/driver-testsuite/web-fixtures/cookie_page2.php +++ b/driver-testsuite/web-fixtures/cookie_page2.php @@ -5,6 +5,6 @@ - Previous cookie: + Previous cookie: diff --git a/driver-testsuite/web-fixtures/issue140.php b/driver-testsuite/web-fixtures/issue140.php index 04a4cafb7..b98bbdfeb 100644 --- a/driver-testsuite/web-fixtures/issue140.php +++ b/driver-testsuite/web-fixtures/issue140.php @@ -2,7 +2,7 @@ if (!empty($_POST)) { setcookie("tc", $_POST['cookie_value'], null, '/'); } elseif (isset($_GET["show_value"])) { - echo $_COOKIE["tc"]; + echo htmlspecialchars($_COOKIE["tc"], ENT_QUOTES, 'UTF-8'); die(); } ?> diff --git a/driver-testsuite/web-fixtures/print_cookies.php b/driver-testsuite/web-fixtures/print_cookies.php index eef496ec5..1d0abc1f6 100644 --- a/driver-testsuite/web-fixtures/print_cookies.php +++ b/driver-testsuite/web-fixtures/print_cookies.php @@ -5,6 +5,12 @@ + $value) { + unset($_COOKIE[$key]); + $_COOKIE[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); + } + ?> ', '', var_export($_COOKIE, true)); ?> From b644fa3e06392c773f5abc4fcb84a3fa23c6c7d0 Mon Sep 17 00:00:00 2001 From: Greg Knaddison Date: Mon, 12 Oct 2015 10:23:03 -0600 Subject: [PATCH 3/5] Create a temp instead of modifying the global --- driver-testsuite/web-fixtures/advanced_form_post.php | 7 +++---- driver-testsuite/web-fixtures/print_cookies.php | 5 ++--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/driver-testsuite/web-fixtures/advanced_form_post.php b/driver-testsuite/web-fixtures/advanced_form_post.php index a0ebee6df..366883168 100644 --- a/driver-testsuite/web-fixtures/advanced_form_post.php +++ b/driver-testsuite/web-fixtures/advanced_form_post.php @@ -14,11 +14,10 @@ $_POST['agreement'] = isset($_POST['agreement']) ? 'on' : 'off'; foreach ($_POST as $key => $value) { - unset($_POST[$key]); - $_POST[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); + $post_for_printing[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); } -ksort($_POST); -echo str_replace('>', '', var_export($_POST, true)) . "\n"; +ksort($post_for_printing); +echo str_replace('>', '', var_export($post_for_printing, true)) . "\n"; if (isset($_FILES['about']) && file_exists($_FILES['about']['tmp_name'])) { echo htmlspecialchars($_FILES['about']['name'], ENT_QUOTES, 'UTF-8') . "\n"; echo htmlspecialchars(file_get_contents($_FILES['about']['tmp_name'], ENT_QUOTES, 'UTF-8')); diff --git a/driver-testsuite/web-fixtures/print_cookies.php b/driver-testsuite/web-fixtures/print_cookies.php index 1d0abc1f6..3aea17973 100644 --- a/driver-testsuite/web-fixtures/print_cookies.php +++ b/driver-testsuite/web-fixtures/print_cookies.php @@ -7,10 +7,9 @@ $value) { - unset($_COOKIE[$key]); - $_COOKIE[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); + $cookie_for_printing[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); } ?> - ', '', var_export($_COOKIE, true)); ?> + ', '', var_export($cookie_for_printing, true)); ?> From d12098b41fc231ca957f55b9afed18d90b2d682e Mon Sep 17 00:00:00 2001 From: Greg Knaddison Date: Wed, 24 Feb 2016 09:05:40 -0700 Subject: [PATCH 4/5] Attempt to address feedback from @stof --- driver-testsuite/web-fixtures/advanced_form_post.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/driver-testsuite/web-fixtures/advanced_form_post.php b/driver-testsuite/web-fixtures/advanced_form_post.php index 366883168..dda1ee383 100644 --- a/driver-testsuite/web-fixtures/advanced_form_post.php +++ b/driver-testsuite/web-fixtures/advanced_form_post.php @@ -13,10 +13,10 @@ } $_POST['agreement'] = isset($_POST['agreement']) ? 'on' : 'off'; +ksort($_POST); foreach ($_POST as $key => $value) { - $post_for_printing[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8'); + $post_for_printing[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars(var_export($value, TRUE), ENT_QUOTES, 'UTF-8'); } -ksort($post_for_printing); echo str_replace('>', '', var_export($post_for_printing, true)) . "\n"; if (isset($_FILES['about']) && file_exists($_FILES['about']['tmp_name'])) { echo htmlspecialchars($_FILES['about']['name'], ENT_QUOTES, 'UTF-8') . "\n"; From fddf0ca3bd379148398ac62e8d562835e86cdda3 Mon Sep 17 00:00:00 2001 From: Greg Knaddison Date: Wed, 24 Feb 2016 09:37:57 -0700 Subject: [PATCH 5/5] Syntax error --- driver-testsuite/web-fixtures/issue130.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/driver-testsuite/web-fixtures/issue130.php b/driver-testsuite/web-fixtures/issue130.php index 90bb7ce7e..e19551ea4 100644 --- a/driver-testsuite/web-fixtures/issue130.php +++ b/driver-testsuite/web-fixtures/issue130.php @@ -5,7 +5,7 @@ if ('1' === $_GET['p']) { echo 'Go to 2'; } else { - echo ''.htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES, 'UTF-8');).''; + echo ''.htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES, 'UTF-8').''; } ?>