search

rusbrain / reps2_beta1

кузы2
http://reps2.ru
GNU General Public License v3.0
11 stars 5 forks source link

[d] url pokes #195

Closed ghost closed 5 years ago

ghost commented 5 years ago 
app/Services/ChatViewHelper.php 
    public function does_url_exists($url)
if ($code == 200) {
            $status = true;
        } else {
            $status = false;
        }

Any non-image urls still will be considered as an image A lot of image hosts are using 302 redirect code so some images will be considered as invalid

The entire site's host/domain may be marked as malicious if someone will spam that tag With CURLOPT_NOBODY it's still possible to just put a huge no-sense link into GET request to make website look even more malicious-like

I'd suggest to remove the code ASAP and rewrite an images validation on the View side

widedeveloper commented 5 years ago

Ok

widedeveloper commented 5 years ago

I updated this issue, please review and check

ghost commented 5 years ago

Current content processing is extremely bad An another link in text or even an extra space char will misparse the whole content

The algorithm should be:

  1. Extract [d]
  2. Trim the content
  3. Find and process url (which is the last regex matched url)
  4. Process text styling with tags e.g. [c4][/c4]

There is also should be img onerror handling which can replace XHR request

The code also contains inappropriate flaws :

  1. Missing semicolons
  2. No-sense comparing falsable data 
    if(demotivate_matches != null){ 
if(img_matches != null){

  3. Exceeded if-else usage

        if ((/\.(gif|jpg|jpeg|tiff|png)$/i).test(img) && validationImg(img)) {

    } else {
  4. Which leads to unnecessary variable mutations 
        } else {
        message = message.replace(img, default_Incorrect_img);
    }
}
return message;
  5. Regexped values should be commented 
        let img = img_matches[1];
    var content = demotivate_matches[1];
rusbrain commented 5 years ago

@widedeveloper expecting bugfix

ghost commented 5 years ago

I have no idea how broken img urls could become that big problem Server validation is barely useful and potentially dangerous

Current vue solution is basically the same thing but on client side It's still possible to post a broken img through third-party socket.io client

A simple img onerror attribute can be putted on View side handling broken img links and potentially gather statistics from client side for deleting those

widedeveloper commented 5 years ago

@nl169 , so we should not send XMLHttpRequest when render message on view side I removed the valid request and instead of I added use onerrror attr in image tag onerror="this.onerror=null;this.src='/images/incorrect_img.png';" but it's showing console error for loading image also.

ghost commented 5 years ago

Previous solutions doesn't handle it either

The security-wise issue was fixed