From 9e0c125f8fe65e494a20430183d5356d17b3c9c7 Mon Sep 17 00:00:00 2001
From: Yoshihiro Yamazaki <yoya@awm.jp>
Date: Tue, 22 Dec 2020 23:47:56 +0900
Subject: [PATCH] fixing to XSS vulnerability.

---
 www/define.php          | 11 +++++++++++
 www/index.php           |  2 +-
 www/swfimage.php        |  4 ++--
 www/swfimagelist.php    |  2 +-
 www/swfimagereplace.php | 14 +++++++-------
 www/swfshape.php        |  8 ++++++--
 6 files changed, 28 insertions(+), 13 deletions(-)
diff --git a/www/define.php b/www/define.php
index be64d45..41f98f5 100644
--- a/www/define.php
+++ b/www/define.php
@@ -1,3 +1,14 @@
 <?php
 
 $tmp_prefix = '/tmp/swf-';
+
+function dec_from_string($n) {
+    return preg_match('/^([0-9]+)/', ltrim($n), $m)? $m[0]: "";
+}
+
+function hex_from_string($h) {
+    return preg_match('/^([0-9a-fA-F]+)/', ltrim($h), $m)? $m[0]: "";
+}
+
+// echo dec_from_string("  11aaa44").PHP_EOL;
+// echo hex_from_string(" 22aa<a").PHP_EOL;
diff --git a/www/index.php b/www/index.php
index 294131b..48892bd 100644
--- a/www/index.php
+++ b/www/index.php
@@ -60,7 +60,7 @@ if (empty($_REQUEST['id']))  {
      echo "ãã¡ã¤ã«ãæå®ãã¦ãã ããã($upload_max_filesize Bytes ä»¥åã«éå®ãã¦ã¾ã)";
      exit(0);
 }
-$id = $_REQUEST['id'];
+$id = hex_from_string($_REQUEST['id']);
 $tmp_filename = "$tmp_prefix$id.swf";
 $swfdata = file_get_contents($tmp_filename);
 
diff --git a/www/swfimage.php b/www/swfimage.php
index b2df7e9..48f55d9 100644
--- a/www/swfimage.php
+++ b/www/swfimage.php
@@ -2,8 +2,8 @@
 
 require_once('define.php');
 
-$id       = $_REQUEST['id'];
-$image_id = $_REQUEST['image_id'];
+$id       = hex_from_string($_REQUEST['id']);
+$image_id = dec_from_string($_REQUEST['image_id']);
 $ext      = $_REQUEST['ext'];
 
 switch ($ext) {
diff --git a/www/swfimagelist.php b/www/swfimagelist.php
index 71337ee..f679b92 100644
--- a/www/swfimagelist.php
+++ b/www/swfimagelist.php
@@ -4,7 +4,7 @@
 
 require_once('define.php');
 
-$id = $_REQUEST['id'];
+$id = hex_from_string($_REQUEST['id']);
 
 $filename = "$tmp_prefix$id.swf";
 $swfdata = file_get_contents($filename);
diff --git a/www/swfimagereplace.php b/www/swfimagereplace.php
index 5d51660..5c3a86a 100644
--- a/www/swfimagereplace.php
+++ b/www/swfimagereplace.php
@@ -34,8 +34,8 @@ if (! empty($_FILES['imagefile']['tmp_name'])) {
         exit(0);
     }
     $tmp_name = sha1($imagedata, false);
-    $id = $_REQUEST['id'];
-    $image_id = $_REQUEST['image_id'];
+    $id = hex_from_string($_REQUEST['id']);
+    $image_id = dec_from_string($_REQUEST['image_id']);
     $ext = detect_image_ext($imagedata);
     if ($ext == false) {
         $image_sig = substr($imagedata, 0, 8);
@@ -70,8 +70,8 @@ FORM;
 }
 
 if (empty($_REQUEST['id_image']))  {
-    $id       = $_REQUEST['id'];
-    $image_id = $_REQUEST['image_id'];
+    $id       = hex_from_string($_REQUEST['id']);
+    $image_id = dec_from_string($_REQUEST['image_id']);
 echo <<< FORM
 <html>
 <head>
@@ -94,9 +94,9 @@ FORM;
     exit(0);
 }
 
-$id = $_REQUEST['id'];
-$image_id = $_REQUEST['image_id'];
-$id_image = $_REQUEST['id_image'];
+$id = hex_from_string($_REQUEST['id']);
+$image_id = dec_from_string($_REQUEST['image_id']);
+$id_image = hex_from_string($_REQUEST['id_image']);
 $ext = $_REQUEST['ext'];
 
 if (($ext != '.jpg') && ($ext != '.png') && ($ext != '.gif')) {
diff --git a/www/swfshape.php b/www/swfshape.php
index 408eb5d..c411e62 100644
--- a/www/swfshape.php
+++ b/www/swfshape.php
@@ -2,9 +2,13 @@
 
 require_once('define.php');
 
-$id       = $_REQUEST['id'];
-$shape_id = $_REQUEST['shape_id'];
+$id       = hex_from_string($_REQUEST['id']);
+$shape_id = dec_from_string($_REQUEST['shape_id']);
 $ext      = $_REQUEST['ext'];
+if (($ext != '.jpg') && ($ext != '.png') && ($ext != '.gif')) {
+    echo "unknown ext=($ext)..\n";
+    exit(1);
+}
 
 $shape_filename = "$tmp_prefix$id-$shape_id$ext";
 $shape_data = file_get_contents($shape_filename);
-- 
2.11.0

