* Implement a kind of DOS protection, courtesy to a Drupal/WordPress commit:

90e884ad0f
2014-08-08 09:51:05 +02:00 · 2014-08-08 09:51:05 +02:00 · 6016eefd9d
parent 2342a82aee
commit 6016eefd9d
3 changed files with 45 additions and 1 deletions
--- a/serendipity_event_xmlrpc/ChangeLog
+++ b/serendipity_event_xmlrpc/ChangeLog
@ -1,4 +1,8 @@
 # 
+Version 1.53:
+    * Implement a kind of DOS protection, courtesy to a Drupal/WordPress commit:
+       https://github.com/drupal/drupal/commit/90e884ad0f7f2cf269d953f7d70966de9fd821ff
+
 Version 1.51 (brockhaus):
    * Support for system.multicall patched into the XMLRPC library.
    * dateModified attributes (delivered by WP) supported.
--- a/serendipity_event_xmlrpc/serendipity_event_xmlrpc.php
+++ b/serendipity_event_xmlrpc/serendipity_event_xmlrpc.php
@ -25,7 +25,7 @@ class serendipity_event_xmlrpc extends serendipity_event
        $propbag->add('description',   PLUGIN_EVENT_XMLRPC_DESC);
        $propbag->add('stackable',     false);
        $propbag->add('author',        'Serendipity Team');
-        $propbag->add('version',       '1.52');
+        $propbag->add('version',       '1.53');
        $propbag->add('requirements',  array(
            'serendipity' => '0.8',
            'smarty'      => '2.6.7',
--- a/serendipity_event_xmlrpc/serendipity_xmlrpc.inc.php
+++ b/serendipity_event_xmlrpc/serendipity_xmlrpc.inc.php
@ -24,6 +24,46 @@ if ($debug_xmlrpc) {
    @define('DEBUG_XMLRPC', false);
 }

+// Do some securing. Courtesy to https://github.com/drupal/drupal/commit/90e884ad0f7f2cf269d953f7d70966de9fd821ff
+// Strip XML declaration.
+$xml_in = $HTTP_RAW_POST_DATA;
+if ($xml_in != '') {
+    $header = preg_replace('/<\?xml.*?\?'.'>/s', '', substr($xml_in, 0, 100), 1);
+    $HTTP_RAW_POST_DATA = trim(substr_replace($xml_in, $header, 0, 100));
+    if ($HTTP_RAW_POST_DATA == '') {
+        return FALSE;
+    }
+
+    // Strip DTD.
+    $header = preg_replace('/^<!DOCTYPE[^>]*+>/i', '', substr($HTTP_RAW_POST_DATA, 0, 200), 1);
+    $HTTP_RAW_POST_DATA = trim(substr_replace($HTTP_RAW_POST_DATA, $header, 0, 200));
+    if ($HTTP_RAW_POST_DATA == '') {
+        return FALSE;
+    }
+
+    // Confirm the XML now starts with a valid root tag. A root tag can end in [> \t\r\n]
+    $root_tag = substr($HTTP_RAW_POST_DATA, 0, strcspn(substr($HTTP_RAW_POST_DATA, 0, 20), "> \t\r\n"));
+    // Reject a second DTD.
+    if (strtoupper($root_tag) == '<!DOCTYPE') {
+        return FALSE;
+    }
+    if (!in_array($root_tag, array('<methodCall', '<methodResponse', '<fault'))) {
+        return FALSE;
+    }
+
+    // Skip parsing if there is an unreasonably large number of tags.
+    try {
+        $dom = new DOMDocument();
+        @$dom->loadXML($HTTP_RAW_POST_DATA);
+        if ($dom->getElementsByTagName('*')->length > 30000) {
+            return FALSE;
+        }
+    }
+    catch (Exception $e) {
+        return FALSE;
+    }
+}
+
@define('XMLRPC_WP_COMPATIBLE', TRUE);

@define('XMLRPC_ERR_CODE_AUTHFAILED',   4);