百度贴吧flash过滤机制研究

出自sebug security vulnerability(SSV) DB
跳转到: 导航, 搜索

目录

总体

采用的白名单过滤机制,即只允许引入特定网站的URL,同时对特定的参数也进行了过滤,比如auto这类的自动播放属性。

百度安全漏洞系列分析

具体分析

(1)URL提交

嵌入了一个iframe页面,提交代码如下:

  1. //有return false,不会真实提交,只会执行函数
  2. <form action="/f" onsubmit="TiFlash.accept();return false">

(2)JS进行处理

由本页面的JS代码进行处理,实现代码如下:

  1.             TiFlash = {
  2. 	    //这个地方判定是否是IE,方法不错
  3.                 IE: (!!(window.attachEvent && !window.opera)),
  4.                 validAddrPrefixs: parent.PageData.editor.flashWhiteList,
  5.                 accept: function(){
  6.                     try {
  7.                         var editor = parent.BdeText;
  8.                         var whiteList = this.validAddrPrefixs;
  9.  
  10. 			//判定是不是在白名单中
  11.                         var isInWhiteList = function(url){
  12.                             for (var i = 0, j = whiteList.length; i < j; i++) {
  13.                                 if (url.indexOf(whiteList[i]) == 0) 
  14.                                     return true;
  15.                             }
  16.                             return false;
  17.                         }
  18. 			//bde_flash_url是输入的URL
  19. 			//替换http://http:// 处理用户输入的
  20.                         var flash_url_value = document.getElementById('bde_flash_url').value.trim().replace(/^http:\/\/http:\/\//g, "http://");
  21. 			//进行了详细处理
  22. 			//对一些特定的URL进行了转换
  23. 			//可以参见这里面的函数
  24. 			//http://static.tieba.baidu.com/tb/nocache/post_video_url.js?v=201104081509
  25. 			//主要是处理一些特定的URL和一些带属性的参数(自动播放)
  26.                         flash_url_value = Post_Video_URL.convert(flash_url_value);
  27. 			//如果没有以http协议开头的,前面添加个http://
  28.                         var urlexp = /^(https:\/\/|http:\/\/|ftp:\/\/|rtsp:\/\/|mms:\/\/)/;
  29.                         if (!(urlexp.test(flash_url_value.toLowerCase()))) {
  30.                             flash_url_value = "http://" + flash_url_value;
  31.                         }
  32. 			//全部转为小写字母
  33.                         var lower_url = flash_url_value.toLowerCase();
  34. 			//如果没填写就报错
  35.                         if (lower_url.length <= 0 ||
  36.                         lower_url == "https://" ||
  37.                         lower_url == "http://" ||
  38.                         lower_url == "ftp://" ||
  39.                         lower_url == "rtsp://" ||
  40.                         lower_url == "mms://") {
  41.                             this.showError("视频链接不能为空");
  42.                             return false;
  43.                         }
  44. 			//如果是以下面这类结尾的,输入错误
  45.                         urlexp = /(\.html|\.htm|\.shtml|\.xml|\.jpg|\.jpeg|\.bmp|\.png|\.gif|\.tif)$/;
  46.                         if (flash_url_value.getByteLength() > editor.urlLength || urlexp.test(lower_url)) {
  47.                             this.showError("输入链接有误,请重试");
  48.                             return false;
  49.                         }
  50. 			//如果不是白名单的,出错
  51.                         if (!isInWhiteList(flash_url_value)) {
  52.                             this.showError("对不起,您输入的视频链接无效,请重试");
  53.                             return false;
  54.                         }
  55.                         editor.closePopup();
  56. 			//过滤URL中的参数
  57.                         flash_url_value = Post_Video_URL.filter_param(flash_url_value);
  58.                         this.execute(editor, flash_url_value);     
  59.                     } 
  60.                     catch (e) {
  61.                     }                    
  62.                     return false;
  63.                 },
  64.                 execute: function(editor, url){             
  65.                     var html = '';
  66.                     var height = 450, width = 500;
  67. 		    //设置大小
  68.                     if (url.toLowerCase().indexOf("baidu.com") > -1) {// 百度
  69.                         width = 480;
  70.                         height = 410;
  71.                     }
  72.                     else 
  73.                         if (url.toLowerCase().indexOf("player.video.qiyi.com") > -1) {// 奇异
  74.                             width = 500;
  75.                             height = 415;
  76.                         }
  77.                         else {// 酷6等其他网站的视频
  78.                             width = 500;
  79.                             height = 450;
  80.                         }
  81. 			//IE的话设定属性
  82.                     if (this.IE) {
  83.                         html = '<embed class="BDE_Flash" allowfullscreen="true" pluginspage="http://www.macromedia.com/go/getflashplayer"';
  84.                         html += ' src="' + editor.formatURL(url) + '"';
  85.                         html += ' width="' + width + '" height="' + height + '"';
  86.                         html += ' type="application/x-shockwave-flash" wmode="transparent" play="true" loop="false"';
  87.                         html += ' menu="false" allowscriptaccess="never" scale="noborder">';
  88.                     }
  89.                     else {
  90.                         html = '<img class="BDE_Flash" src="http://static.tieba.baidu.com/tb/editor/images/blank.gif"';
  91.                         html += ' title="' + editor.formatURL(url) + '"';
  92.                         html += ' width="' + width + '" height="' + height + '">';
  93.                     }
  94.                     //插入代码
  95.                     editor.paste(html);
  96.                     editor.dispatch("oneditorselectionchange");
  97.                 },
  98.                 onFocusInput: function(){
  99.                     document.getElementById('bde_flash_tip').innerHTML = "贴吧目前支持土豆、优酷、激动等多家视频网站";
  100.                     document.getElementById('bde_flash_tip').style.color = "#666666";
  101.                 },
  102.                 showError: function(msg){
  103.                     document.getElementById('errorMsg').innerHTML = msg;
  104.                 }
  105.             };

(3)其中的关键代码

  1. //处理一些比较重要的URL
  2. //替换部分分析//
  3. //http://static.tieba.baidu.com/tb/nocache/post_video_url.js?v=201104081509
  4. var Post_Video_URL = {
  5.     convert_urls : [
  6.        [/http:\/\/my\.tv\.sohu\.com\/u\/vw\/([0-9a-zA-Z_]*)$/ig, 'http://my.tv.sohu.com/fo/v4/$1/my.swf'],
  7.        [/http:\/\/client\.joy\.cn\/flvplayer\/([0-9a-zA-Z]*)_([0-9]*)_[1-9]*_([0-9]*)\.swf$/ig, 
  8. 'http://client.joy.cn/flvplayer/$1_$2_0_$3.swf'],
  9.        [/http:\/\/www\.56\.com\/u([0-9]*)\/v_([0-9a-zA-Z_]*)\.html$/ig, 'http://player.56.com/v_$2.swf'],
  10.        [/http:\/\/www\.56\.com\/w([0-9]*)\/play_album-aid-([0-9]*)_vid-([0-9a-zA-Z_]*)\.html$/ig, 'http://player.56.com/v_$3.swf'],
  11.        [/http:\/\/www\.letv\.com\/ptv\/vplay\/([0-9a-zA-Z_]*)\.html$/ig, 'http://www.letv.com/player/x$1.swf'],
  12.        [/http:\/\/www\.aipai\.com\/([a-z]*)([0-9]*)\/([0-9a-zA-Z]*)\.html$/ig, 'http://www.aipai.com/$1$2/$3/playerOut.swf'],
  13.        [/http:\/\/mv\.molihe\.com\/show\/([0-9]*)$/ig, 'http://mv.molihe.com/molihe_play-1-$1.swf'],
  14.        [/http:\/\/www\.tudou\.com\/programs\/view\/([0-9a-zA-Z]*)\/?$/ig, 'http://www.tudou.com/v/$1\/v.swf'],
  15.        [/http:\/\/www\.boosj\.com\/([0-9]*)\.html$/ig, 'http://static.boosj.com/v/swf/w_player1.0_$1.swf'],
  16.        [/(http:\/\/share\.vrs\.sohu\.com\/[0-9a-zA-Z_]*\/v\.swf)(\S*)$/ig, '$1&autoplay=false']
  17.     ],
  18.     auto_params : [
  19.         // web site domain, param name, param exp, default stop value 
  20.         ['client.joy.cn', 'playstatus', /playstatus=/ig, '0']   
  21.  
  22.     ],
  23.     convert : function(url){
  24.         // ['mv.molihe.com', 'ispause', /ispause=/ig, '1'] 
  25.     var s = this.convert_urls;
  26.     //将符合前面这种规则的进行替换,然后返回处理的URL
  27.     for(var i=0;i<s.length;i++){
  28.         url = url.replace(s[i][0], s[i][1]);
  29.     }
  30.     return url;
  31.     },
  32.  
  33. //判定是不是sohu的
  34. //http://share.vrs.sohu.com/295039/v.swf
  35.     filter_param : function(flash_url_value){
  36.     if(flash_url_value.indexOf('share.vrs.sohu.com')<0)
  37.     {
  38.     //把替换auto自动播放
  39.         flash_url_value = flash_url_value.replace(/(\&)?\w*auto\w*=[\w\d]+/ig,"");
  40.     }
  41.     var ps = this.auto_params;
  42.     for(var i=0;i<ps.length;i++){
  43.         var p = ps[i];
  44.         if(flash_url_value.indexOf(p[0])>-1){
  45.             flash_url_value = flash_url_value.replace(p[2], 'old_invalid=');
  46.             flash_url_value += (flash_url_value.indexOf('?') > -1 ? '&' : '?') + p[1] + '=' + p[3];
  47.         }
  48.     }
  49.     return flash_url_value;
  50.     }
  51. };

(4)白名单

  1. editor : {"imageLimite":10,"flashLimite":10,"flashWhiteList":
  2. ["http:\/\/www.tudou.com\/v\/","http:\/\/www.tudou.com\/player\/playlist.swf?lid=",
  3. "http:\/\/6.cn\/p\/","http:\/\/player.ku6.com\/refer\/",
  4. "http:\/\/img.ku6.com\/common\/V2.0.baidu.swf?vid=","http:\/\/tv.mofile.com\/cn\/xplayer.swf?v=",
  5. "http:\/\/v.blog.sohu.com\/fo\/v4\/","http:\/\/v.blog.sohu.com\/fo\/p4\/",
  6. "http:\/\/vhead.blog.sina.com.cn\/player\/outer_player.swf?","http:\/\/img.openv.tv\/hd\/swf\/hd_player.swf?pid=",
  7. "http:\/\/www.cnboo.com\/flash\/player.swf?ids=","http:\/\/video.pomoho.com\/swf\/out_player.swf?flvid=",
  8. "http:\/\/video.cctv.com\/flash\/cctv_player.swf?VideoID=","http:\/\/misc.home.news.cn\/video\/swf\/VideoDisplay.swf?videoSource=",
  9. "http:\/\/mv.baidu.com\/export\/flashplayer.swf?playlist=","http:\/\/mv.baidu.com\/export\/flashplayer.swf?vid=",
  10. "http:\/\/client.joy.cn\/flvplayer\/","http:\/\/static.tieba.baidu.com\/tb\/flash\/",
  11. "http:\/\/player.youku.com\/player.php\/sid\/","http:\/\/player.video.qiyi.com\/",
  12. "http:\/\/player.xiyou.cntv.cn\/","http:\/\/player.cntv.cn\/",
  13. "http:\/\/www.letv.com\/player","http:\/\/www.aipai.com\/c",
  14. "http:\/\/www.aipai.com\/b","http:\/\/mv.molihe.com\/molihe_play-1-",
  15. "http:\/\/my.tv.sohu.com\/fo\/v4\/","http:\/\/share.vrs.sohu.com\/",
  16. "http:\/\/www.hualu5.com\/swf\/","http:\/\/player.56.com\/v",
  17. "http:\/\/player.56.com\/cpm","http:\/\/www.tudou.com\/l"]} 
  18. };
个人工具
名字空间
变换
导航
工具箱