总体
采用的白名单过滤机制,即只允许引入特定网站的URL,同时对特定的参数也进行了过滤,比如auto这类的自动播放属性。
百度安全漏洞系列分析
具体分析
(1)URL提交
嵌入了一个iframe页面,提交代码如下:
1.//有return false,不会真实提交,只会执行函数
2.[HTML_REMOVED]
(2)JS进行处理
由本页面的JS代码进行处理,实现代码如下:
1.TiFlash = {
2. //这个地方判定是否是IE,方法不错
3. IE: (!!(window.attachEvent && !window.opera)),
4. validAddrPrefixs: parent.PageData.editor.flashWhiteList,
5. accept: function(){
6. try {
7. var editor = parent.BdeText;
8. var whiteList = this.validAddrPrefixs;
9.
10.//判定是不是在白名单中
11. var isInWhiteList = function(url){
12. for (var i = 0, j = whiteList.length; i < j; i++) {
13. if (url.indexOf(whiteList[i]) == 0)
14. return true;
15. }
16. return false;
17. }
18.//bde_flash_url是输入的URL
19.//替换http://http:// 处理用户输入的
20. var flash_url_value = document.getElementById('bde_flash_url').value.trim().replace(/^http://http:///g, "http://");
21.//进行了详细处理
22.//对一些特定的URL进行了转换
23.//可以参见这里面的函数
24.//http://static.tieba.baidu.com/tb/nocache/post_video_url.js?v=201104081509
25.//主要是处理一些特定的URL和一些带属性的参数(自动播放)
26. flash_url_value = Post_Video_URL.convert(flash_url_value);
27.//如果没有以http协议开头的,前面添加个http://
28. var urlexp = /^(https://|http://|ftp://|rtsp://|mms://)/;
29. if (!(urlexp.test(flash_url_value.toLowerCase()))) {
30. flash_url_value = "http://" + flash_url_value;
31. }
32.//全部转为小写字母
33. var lower_url = flash_url_value.toLowerCase();
34.//如果没填写就报错
35. if (lower_url.length <= 0 ||
36. lower_url == "https://" ||
37. lower_url == "http://" ||
38. lower_url == "ftp://" ||
39. lower_url == "rtsp://" ||
40. lower_url == "mms://") {
41. this.showError("视频链接不能为空");
42. return false;
43. }
44.//如果是以下面这类结尾的,输入错误
45. urlexp = /(.html|.htm|.shtml|.xml|.jpg|.jpeg|.bmp|.png|.gif|.tif)$/;
46. if (flash_url_value.getByteLength() > editor.urlLength || urlexp.test(lower_url)) {
47. this.showError("输入链接有误,请重试");
48. return false;
49. }
50.//如果不是白名单的,出错
51. if (!isInWhiteList(flash_url_value)) {
52. this.showError("对不起,您输入的视频链接无效,请重试");
53. return false;
54. }
55. editor.closePopup();
56.//过滤URL中的参数
57. flash_url_value = Post_Video_URL.filter_param(flash_url_value);
58. this.execute(editor, flash_url_value);
59. }
60. catch (e) {
61. }
62. return false;
63. },
64. execute: function(editor, url){
65. var html = '';
66. var height = 450, width = 500;
67. //设置大小
68. if (url.toLowerCase().indexOf("baidu.com") > -1) {// 百度
69. width = 480;
70. height = 410;
71. }
72. else
73. if (url.toLowerCase().indexOf("player.video.qiyi.com") > -1) {// 奇异
74. width = 500;
75. height = 415;
76. }
77. else {// 酷6等其他网站的视频
78. width = 500;
79. height = 450;
80. }
81.//IE的话设定属性
82. if (this.IE) {
83. html = '[HTML_REMOVED]';
84. }
85. else {
86. html = '[HTML_REMOVED]';
87. }
88. //插入代码
89. editor.paste(html);
90. editor.dispatch("oneditorselectionchange");
91. },
92. onFocusInput: function(){
93. document.getElementById('bde_flash_tip').innerHTML = "贴吧目前支持土豆、优酷、激动等多家视频网站";
94. document.getElementById('bde_flash_tip').style.color = "#666666";
95. },
96. showError: function(msg){
97. document.getElementById('errorMsg').innerHTML = msg;
98. }
99. };
(3)其中的关键代码
1.//处理一些比较重要的URL
2.//替换部分分析//
3.//http://static.tieba.baidu.com/tb/nocache/post_video_url.js?v=201104081509
4.var Post_Video_URL = {
5. convert_urls : [
6. [/http://my.tv.sohu.com/u/vw/([0-9a-zA-Z_]*)$/ig, 'http://my.tv.sohu.com/fo/v4/$1/my.swf'],
7. [/http://client.joy.cn/flvplayer/([0-9a-zA-Z]*)_([0-9]*)_[1-9]*_([0-9]*).swf$/ig,
8.'http://client.joy.cn/flvplayer/$1_$2_0_$3.swf'],
9. [/http://www.56.com/u([0-9]*)/v_([0-9a-zA-Z_]*).html$/ig, 'http://player.56.com/v_$2.swf'],
10. [/http://www.56.com/w([0-9]*)/play_album-aid-([0-9]*)_vid-([0-9a-zA-Z_]*).html$/ig, 'http://player.56.com/v_$3.swf'],
11. [/http://www.letv.com/ptv/vplay/([0-9a-zA-Z_]*).html$/ig, 'http://www.letv.com/player/x$1.swf'],
12. [/http://www.aipai.com/([a-z]*)([0-9]*)/([0-9a-zA-Z]*).html$/ig, 'http://www.aipai.com/$1$2/$3/playerOut.swf'],
13. [/http://mv.molihe.com/show/([0-9]*)$/ig, 'http://mv.molihe.com/molihe_play-1-$1.swf'],
14. [/http://www.tudou.com/programs/view/([0-9a-zA-Z]*)/?$/ig, 'http://www.tudou.com/v/$1/v.swf'],
15. [/http://www.boosj.com/([0-9]*).html$/ig, 'http://static.boosj.com/v/swf/w_player1.0_$1.swf'],
16. [/(http://share.vrs.sohu.com/[0-9a-zA-Z_]*/v.swf)(S*)$/ig, '$1&autoplay=false']
17. ],
18. auto_params : [
19. // web site domain, param name, param exp, default stop value
20. ['client.joy.cn', 'playstatus', /playstatus=/ig, '0']
21.
22. ],
23. convert : function(url){
24. // ['mv.molihe.com', 'ispause', /ispause=/ig, '1']
25. var s = this.convert_urls;
26. //将符合前面这种规则的进行替换,然后返回处理的URL
27. for(var i=0;i[HTML_REMOVED]-1){
28. flash_url_value = flash_url_value.replace(p[2], 'old_invalid=');
29. flash_url_value += (flash_url_value.indexOf('?') > -1 ? '&' : '?') + p[1] + '=' + p[3];
30. }
31. }
32. return flash_url_value;
33. }
34.};
(4)白名单
1.editor : {"imageLimite":10,"flashLimite":10,"flashWhiteList":
2.["http://www.tudou.com/v/","http://www.tudou.com/player/playlist.swf?lid=",
3."http://6.cn/p/","http://player.ku6.com/refer/",
4."http://img.ku6.com/common/V2.0.baidu.swf?vid=","http://tv.mofile.com/cn/xplayer.swf?v=",
5."http://v.blog.sohu.com/fo/v4/","http://v.blog.sohu.com/fo/p4/",
6."http://vhead.blog.sina.com.cn/player/outer_player.swf?","http://img.openv.tv/hd/swf/hd_player.swf?pid=",
7."http://www.cnboo.com/flash/player.swf?ids=","http://video.pomoho.com/swf/out_player.swf?flvid=",
8."http://video.cctv.com/flash/cctv_player.swf?VideoID=","http://misc.home.news.cn/video/swf/VideoDisplay.swf?videoSource=",
9."http://mv.baidu.com/export/flashplayer.swf?playlist=","http://mv.baidu.com/export/flashplayer.swf?vid=",
10."http://client.joy.cn/flvplayer/","http://static.tieba.baidu.com/tb/flash/",
11."http://player.youku.com/player.php/sid/","http://player.video.qiyi.com/",
12."http://player.xiyou.cntv.cn/","http://player.cntv.cn/",
13."http://www.letv.com/player","http://www.aipai.com/c",
14."http://www.aipai.com/b","http://mv.molihe.com/molihe_play-1-",
15."http://my.tv.sohu.com/fo/v4/","http://share.vrs.sohu.com/",
16."http://www.hualu5.com/swf/","http://player.56.com/v",
17."http://player.56.com/cpm","http://www.tudou.com/l"]}
18.};