diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2005-11-28 02:09:01 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2005-11-28 02:09:01 +0000 |
| commit | 1ebc196f6c81ef19dddf5e36d44da84b63bb3635 (patch) | |
| tree | b6efea5d55eac8636cdd17e2494393d62f6e4675 | |
| parent | 37e167b1a82f89bbb1c1a892d655eaa56c201de5 (diff) | |
| download | ampache-1ebc196f6c81ef19dddf5e36d44da84b63bb3635.tar.gz ampache-1ebc196f6c81ef19dddf5e36d44da84b63bb3635.tar.bz2 ampache-1ebc196f6c81ef19dddf5e36d44da84b63bb3635.zip | |
updates for security flaw
| -rwxr-xr-x | docs/CHANGELOG | 3 | ||||
| -rw-r--r-- | modules/amazon/Snoopy.class.php | 51 |
2 files changed, 40 insertions, 14 deletions
diff --git a/docs/CHANGELOG b/docs/CHANGELOG index cfa30072..63e12cfc 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -4,6 +4,9 @@ -------------------------------------------------------------------------- v.3.3.2-Alpha3 + - Updated included Snoopy class due to vulenerability + http://seclists.org/lists/fulldisclosure/2005/Oct/0536.html + (Thx marineam) - Added transcoding of m4a files so they stream properly (Thx Rosensama) - Fixed problem where Add to Playlist from mpd.php only works for diff --git a/modules/amazon/Snoopy.class.php b/modules/amazon/Snoopy.class.php index f9e07e02..77e5b731 100644 --- a/modules/amazon/Snoopy.class.php +++ b/modules/amazon/Snoopy.class.php @@ -5,7 +5,7 @@ Snoopy - the PHP net client Author: Monte Ohrt <monte@ispi.net> Copyright (c): 1999-2000 ispi, all rights reserved -Version: 1.2 +Version: 1.01 * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -48,7 +48,7 @@ class Snoopy var $proxy_user = ""; // proxy user to use var $proxy_pass = ""; // proxy password to use - var $agent = "Snoopy v1.2"; // agent we masquerade as + var $agent = "Snoopy v1.2.3"; // agent we masquerade as var $referer = ""; // referer info to pass var $cookies = array(); // array of cookies to pass // $cookies["username"]="joe"; @@ -61,7 +61,7 @@ class Snoopy var $maxframes = 0; // frame content depth maximum. 0 = disallow var $expandlinks = true; // expand links to fully qualified URLs. // this only applies to fetchlinks() - // or submitlinks() + // submitlinks(), and submittext() var $passcookies = true; // pass set cookies back through redirects // NOTE: this currently does not respect // dates, domains or paths. @@ -137,8 +137,10 @@ class Snoopy $this->pass = $URI_PARTS["pass"]; if (empty($URI_PARTS["query"])) $URI_PARTS["query"] = ''; + if (empty($URI_PARTS["path"])) + $URI_PARTS["path"] = ''; - switch($URI_PARTS["scheme"]) + switch(strtolower($URI_PARTS["scheme"])) { case "http": $this->host = $URI_PARTS["host"]; @@ -287,8 +289,10 @@ class Snoopy $this->pass = $URI_PARTS["pass"]; if (empty($URI_PARTS["query"])) $URI_PARTS["query"] = ''; + if (empty($URI_PARTS["path"])) + $URI_PARTS["path"] = ''; - switch($URI_PARTS["scheme"]) + switch(strtolower($URI_PARTS["scheme"])) { case "http": $this->host = $URI_PARTS["host"]; @@ -438,7 +442,8 @@ class Snoopy { if ($this->fetch($URI)) { - + if($this->lastredirectaddr) + $URI = $this->lastredirectaddr; if(is_array($this->results)) { for($x=0;$x<count($this->results);$x++) @@ -518,6 +523,8 @@ class Snoopy { if($this->submit($URI,$formvars, $formfiles)) { + if($this->lastredirectaddr) + $URI = $this->lastredirectaddr; if(is_array($this->results)) { for($x=0;$x<count($this->results);$x++) @@ -550,6 +557,8 @@ class Snoopy { if($this->submit($URI,$formvars, $formfiles)) { + if($this->lastredirectaddr) + $URI = $this->lastredirectaddr; if(is_array($this->results)) { for($x=0;$x<count($this->results);$x++) @@ -739,14 +748,19 @@ class Snoopy $match = preg_replace("|/[^\/\.]+\.[^\/\.]+$|","",$match[0]); $match = preg_replace("|/$|","",$match); + $match_part = parse_url($match); + $match_root = + $match_part["scheme"]."://".$match_part["host"]; $search = array( "|^http://".preg_quote($this->host)."|i", - "|^(?!http://)(\/)?(?!mailto:)|i", + "|^(\/)|i", + "|^(?!http://)(?!mailto:)|i", "|/\./|", "|/[^\/]+/\.\./|" ); $replace = array( "", + $match_root."/", $match."/", "/", "/" @@ -779,8 +793,12 @@ class Snoopy $headers = $http_method." ".$url." ".$this->_httpversion."\r\n"; if(!empty($this->agent)) $headers .= "User-Agent: ".$this->agent."\r\n"; - if(!empty($this->host) && !isset($this->rawheaders['Host'])) - $headers .= "Host: ".$this->host."\r\n"; + if(!empty($this->host) && !isset($this->rawheaders['Host'])) { + $headers .= "Host: ".$this->host; + if(!empty($this->port)) + $headers .= ":".$this->port; + $headers .= "\r\n"; + } if(!empty($this->accept)) $headers .= "Accept: ".$this->accept."\r\n"; if(!empty($this->referer)) @@ -849,7 +867,7 @@ class Snoopy if(preg_match("/^(Location:|URI:)/i",$currentHeader)) { // get URL portion of the redirect - preg_match("/^(Location:|URI:)[ ]+(.*)/",chop($currentHeader),$matches); + preg_match("/^(Location:|URI:)[ ]+(.*)/i",chop($currentHeader),$matches); // look for :// in the Location header to see if hostname is included if(!preg_match("|\:\/\/|",$matches[2])) { @@ -941,7 +959,10 @@ class Snoopy if(!empty($this->agent)) $headers[] = "User-Agent: ".$this->agent; if(!empty($this->host)) - $headers[] = "Host: ".$this->host; + if(!empty($this->port)) + $headers[] = "Host: ".$this->host.":".$this->port; + else + $headers[] = "Host: ".$this->host; if(!empty($this->accept)) $headers[] = "Accept: ".$this->accept; if(!empty($this->referer)) @@ -978,8 +999,10 @@ class Snoopy if(!empty($this->user) || !empty($this->pass)) $headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass); - for($curr_header = 0; $curr_header < count($headers); $curr_header++) - $cmdline_params .= " -H \"".$headers[$curr_header]."\""; + for($curr_header = 0; $curr_header < count($headers); $curr_header++) { + $safer_header = strtr( $headers[$curr_header], "\"", " " ); + $cmdline_params .= " -H \"".$safer_header."\""; + } if(!empty($body)) $cmdline_params .= " -d \"$body\""; @@ -1037,7 +1060,7 @@ class Snoopy // check if there is a a redirect meta tag - if(preg_match("'<meta[\s]*http-equiv[^>]*?content[\s]*=[\s]*[\"\']?\d+;[\s]+URL[\s]*=[\s]*([^\"\']*?)[\"\']?>'i",$results,$match)) + if(preg_match("'<meta[\s]*http-equiv[^>]*?content[\s]*=[\s]*[\"\']?\d+;[\s]*URL[\s]*=[\s]*([^\"\']*?)[\"\']?>'i",$results,$match)) { $this->_redirectaddr = $this->_expandlinks($match[1],$URI); } |