CakePHP 2.X基于路径的XSS问题

时间:2018-04-20 23:50:49

标签: cakephp routing url-routing xss

我遇到了为页面设置路线的问题,但是,如果你输入了一些关于slug的东西,你可以将信息传递到网站,从而导致基于路径的路径跨站点脚本(XSS)"。例如" / lending-center /"%20qss%3D" QssAttrValue" 

Router::connect('/:slug',
    array('controller' => 'pages', 'action' => 'display'),
    array('routeClass' => 'SlugRoute')
);

Router::connect('/:slug/*',
    array('controller' => 'pages', 'action' => 'display'),
    array('routeClass' => 'SlugRoute')
);

这段代码应该做的是将所有内容路由到页面控制器,然后在$ this-> params [' pass']中传递任何其他内容,而不是我通过调试接收到的内容。 $ this-> params是

params => array(
    'plugin' => null,
    'controller' => 'pages',
    'action' => 'display',
    'named' => array(),
    'pass' => array(
        (int) 0 => '" qss="QssAttrValue'
    ),
    'slug' => '" qss="QssAttrValue',
    'isAjax' => false
)

我很困惑为什么slug没有设置为lending-center而不是在调试输出中显示什么。思考?任何帮助将不胜感激。

*更新*

版本:CakePHP 2.9 

class SlugRoute extends CakeRoute {

function parse($url) {
    $params = parent::parse($url);
    if (empty($params)) {
        return false;
    }

    $slugs = Cache::read('page_slugs');
    if (empty($slugs)) {
        App::import('Model', 'Page');
        $Page = new Page();
        $pages = $Page->find('all', array(
            'fields' => array('Page.slug'),
            'recursive' => -1
        ));
        $slugs = array_flip(Set::extract('/Page/slug', $pages));
        Cache::write('page_slugs', $slugs);
    }

    if (isset($slugs[$params['slug']])) {
        return $params;
    }

    return false;
}
}

PagesController.php中的显示功能如下:

public function display($slug = null) { 
    if (!empty($slug)) {
        $this->params['slug'] = $slug;
    }

    if (empty($this->params['slug'])) {
        throw new NotFoundException(__('Sorry, file not found.'));
    }

    $body_id = strtolower(Inflector::classify($this->name));
    $conditions = array('Page.slug' => $this->params['slug']);
    $result = $this->Page->find('first', array('conditions' => $conditions));

    if (empty($result['Page']['name'])) {
        throw new NotFoundException(__('Sorry, file not found.'));
    }

    $this->set(compact('result'));
}

1 个答案:

答案 0 :(得分:1)

您的路线配置错过了slug needs to be passed到控制器,以及结果是:

public function display($slug = null) { 
    if (!empty($slug)) {
        $this->params['slug'] = $slug;
    }

用唯一传递的最后一个arg替换命名的param slug。我的意思是:

$slug === '" qss="QssAttrValue'

在这种情况下。

如果您将路线配置更改为:

Router::connect('/:slug',
    array('controller' => 'pages', 'action' => 'display'),
    array('routeClass' => 'SlugRoute', 'pass' => ['slug'])
);

Router::connect('/:slug/*',
    array('controller' => 'pages', 'action' => 'display'),
    array('routeClass' => 'SlugRoute', 'pass' => ['slug'])
);

然后显示方法参数将是:

array(
    (int) 0 => 'lending-center',
    (int) 1 => '" qss="QssAttrValue'
)
相关问题
最新问题