Snitz Forums 2000 - If I replace ReplaceURLs with that...

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Help Groups for Snitz Forums 2000 Users

Help: General / Classic ASP versions(v3.4.XX)

If I replace ReplaceURLs with that...

New Topic

Topic Locked

Printer Friendly

Author

Topic

SiSL
Average Member

Turkey
671 Posts

Posted - 20 December 2008 : 19:42:47

Okay, if I replace ReplaceURLs with following function, do you see any exploits happening? (I'm serious, best to know about it is the authors who wrote the original code)

So if you ask difference from currnet code here is a few:

- Does not require " (quotes) for URL tag (Helpful for newbies who just paste imageshack links) -- but also if there are quotes, it ignores them being there (compatible with current code)
- Does require URL starting with a few protocols: http, https, ftp, icyx, mms, ftp, mailto and www (replaced with http://www) and naturally ignores codes as view-source, javascript, jscript, vbscript etc.)
- Requires URL to be a single string (without line breaks etc. till closing "] or ]


Function ReplaceURLs(fString)
	
		set re = new RegExp
		re.pattern = "\[url(=""|='|=&quot;|=)?(www.|https?://|ed2k://|icyx://|mms://|ftp://|mailto:)([^""\]].+?)(""|'|&quot;)?\]([\s\S]+?)\[/url\]"
		re.ignorecase = true
		re.global = true

		set matches = re.execute(fstring) 
		totalMatches =  matches.count
		
		if totalMatches <> 0 Then
		'Response.write "<br/>Total Matches: " & totalMatches
			For each match in matches
				
				tempURLprefix = match.SubMatches(1)	
				if tempURLPrefix = "www." Then
					tempURLPrefix = "http://www."
				End If
				tempURL = match.SubMatches(2)
				
				tempURLDesc = match.SubMatches(4)
				finalTempChange = "<a href=""" & tempURLPrefix & tempURL & """ target=""_blank"" rel=""nofollow"">" & tempURLDesc & "</a>"				
				re.Global = False
				fString = re.Replace(fString,finalTempChange)
				tempURLPrefix = ""
				tempURL = ""
				tempURLDesc = ""
				finalTempChange = ""
			Next
			
		End If
		set matches = nothing
		
		set re = new RegExp
		re.pattern = "\[url\](www.|https?://|ed2k://|icyx://|mms://|ftp://|mailto:)([^""\[].+?)\[/url\]"
		re.ignorecase = true
		re.global = true

		set matches = re.execute(fstring) 
		totalMatches =  matches.count
		
		if totalMatches <> 0 Then
		'Response.write "<br/>Total Matches: " & totalMatches
			For each match in matches
				
				tempURLprefix = match.SubMatches(0)	
				if tempURLPrefix = "www." Then
					tempURLPrefix = "http://www."
				End If
				tempURL = match.SubMatches(1)
				
				tempURLDesc = match.SubMatches(1)
				finalTempChange = "<a href=""" & tempURLPrefix & tempURL & """ target=""_blank"" rel=""nofollow"">" & tempURLDesc & "</a>"				
				re.Global = False
				fString = re.Replace(fString,finalTempChange)
				tempURLPrefix = ""
				tempURL = ""
				tempURLDesc = ""
				finalTempChange = ""
			Next
		End If
		set matches = nothing
		set re=nothing
End Function

Edited by - SiSL on 21 December 2008 10:24:37

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 21 December 2008 : 04:56:10

could you explain how it is protecting against script injections in the url or it's description ?<

SiSL
Average Member

Turkey
671 Posts

Posted - 21 December 2008 : 08:31:40

Actually, you are quite right. It does not stop people giving links that allow script injections in the URL but rendering it that way does not do anything to your site (unless you got holes to allow script injection in your site and someone gives a link on your site) since it is not connected anyway to a DB query (afaik) but only final render on the page... (and thanks to edit_hrefs function, you can't do phishing by any kind of tags like that, it will be override it already in current Snitz, same works with that function too)

Like it does not stop me giving such URL without [url] tags (following example is just a sample code, it does not do anything) http://forum.snitz.com/forum/post.asp?url=%3Cscript%3E&id=5';SELECT

It works similiar to way, normal URL's without tags rendered like in edit_hrefs function does. What it does is naturally disallowing annoyances or scripts that they can use on your site directly like [url="javascript:alert('test');"] would not work due to a prefix requirement like http:// etc. (which comes to the point of good ol' apostrophe http://forum.snitz.com/forum/topic.asp?TOPIC_ID=66909

) (PS: It does not touch [url][/url] --those without extra links in first tag, but quite easy to check for it as well, doing a second RegEx matches after the first pass such as following and changing submatch numbers:

re.pattern = "\[url\](www.|https?://|ed2k://|icyx://|mms://|ftp://|mailto:)([^\]].+?)\[/url\]"

If there is such example, it just by-passes it leaving it in original form, not rendering any URL from such statement...

Here is just use of this function on an examples:

Just toying with regex lately and see what it can do for us :)<

Edited by - SiSL on 21 December 2008 09:30:17

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 21 December 2008 : 09:53:35

what about urls like forum.snitz.com ?<

SiSL
Average Member

Turkey
671 Posts

Posted - 21 December 2008 : 10:02:34

quote:
Originally posted by HuwR

what about urls like forum.snitz.com ?

You mean like [url]forum.snitz.com[/url] (well, this would normally go to http://forum.snitz.com/forum/forum.snitz.com in current state... )

or [url="forum.snitz.com"]forum.snitz.com[/url]

Nope, it does not accept them as valid URL unless given a protocol. However, ofcourse naturally works with:

[url]http://forum.snitz.com[/url]

or [url="http://forum.snitz.com"]forum.snitz.com[/url]

Or another method would be:

re.pattern = "\[url\]([^\]].+?)\[/url\]"

And doing same checks in current function like vbscript, view-source etc on "match.submatches(0)"
<

Edited by - SiSL on 21 December 2008 10:15:07

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 21 December 2008 : 10:48:00

the whole point of the url tags is that you do not have to use http or www for it to convert to a url , that is only necesary if it is not in the url tags. so forum.snitz.com should be converted to a link if in url tags<

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 21 December 2008 : 15:31:51

Huw, that is not different with the current version: forum.snitz.com points to http://forum.snitz.com/forum/forum.snitz.com

So, I think you're mistaking with your statement.
You still need to provide a link inbetween the URL tags:
[url]www.oxle.com[/url] points to www.oxle.com but [url]oxle.com[/url] points to http://forum.snitz.com/forum/oxle.com (oxle.com)<

portfolio - linkshrinker - oxle - twitter

Edited by - MarcelG on 21 December 2008 15:34:32

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 21 December 2008 : 16:11:19

I always assumed it did

SiSL
Average Member

Turkey
671 Posts

Posted - 21 December 2008 : 19:17:09

Hey!

Downside of this method ofcourse, not giving local links like [url]topic.asp?TOPIC_ID=67996[/url] ofcourse compared to current, but most likely save a few bits checking every URL for malicious codes and trimming from characters etc. since probably noone is loosing time trimming local URL when they copy and paste from their address bars. I'm going to make render comprasion. Classic ASP replaces normally faster than RegEx if written lazy Regex. However, will check with timer codes.

You know what's would be best for Snitz URL/Image handling?

Doing this security checks on images and URL's once and for all when topic/reply submitted/updated, you know, instead of checking them all the time for every visitor, checking once when posted. No, I don't mean replacing <a href on post but between [url] and [img] tags.
<

Edited by - SiSL on 12 January 2009 01:57:14

SiSL
Average Member

Turkey
671 Posts

Posted - 22 December 2008 : 21:44:13

Okay, brainstorming continues (since ReplaceURL's come after chkURLs), we can do a simple check such as this (beware, not finished yet, instead of using chkURLs and editHrefs: (it includes edithrefs and chkURLs function in single one) and does not allow to end with url or img tag endings

In other words, it limits URL's to be only next to certain tags, such as bold, italic, underlined, left, center, right and quote and * (list option) (can be added more) or stand alone URL's with br's or whitespaces(I didnt yet added email, soon it will come as well)
and final convert was [url]<url>[/url] and leaves rest checking to these tags. It would be double easy if ASP / VBscript supported conditional regex

However, this will make me review previous ReplaceURLs not to allow phishing types :) Still happy it worked.

I'd suggest to put this check on post_info.asp while posting etc.


Function chkURLs(ByVal strToFormat, ByVal sPrefix, ByVal iType)
	set re = new RegExp
	allowedTagsOpen = "\[b|\[i|\[u|\[left|\[center|\[right|\[quote|\[\*"
	allowedTagsClose = "\[/b|\[/i|\[/u|\[/left|\[/center|\[/right|\[/quote|\[/\*"
	re.pattern = "(^|([^_a-z0-9-=\]""\'/@]|(" & allowedTagsOpen & "|" & allowedTagsClose & ")\]))((https?|ftp|icyx|mms)://|www\.)((\[(?!/)|[^\s[^$`""{}<>])+)(?!\[/url|\[/img)(?=[,.!\')]*(\)\s|\)$|[\s[]|$))"
	re.ignorecase = true
	re.global = true

		set matches = re.execute(strToFormat) 
		totalMatches =  matches.count
		if totalMatches <> 0 Then
		
			For each match in matches
				TutanMatch = match
				TutanMatchPrefix = match.SubMatches(0)
				RealMatch = Right(TutanMatch,Len(TutanMatch)-Len(TutanMatchPrefix))
				RealMatch = TutanMatchPrefix & "[url]" & RealMatch & "[/url]"
				re.Global = False
				strToFormat = re.Replace(strToFormat,RealMatch)
				
			Next
	End If
	chkURLs = strToFormat
End Function

Test Enviroment: