百度貼吧flash過濾機制研究
責編:admin |2015-02-10 14:48:57總體
采用的白名單過濾機制,即只允許引入特定網站的URL,同時對特定的參數也進行了過濾,比如auto這類的自動播放屬性。
百度安全漏洞系列分析
具體分析
(1)URL提交
嵌入了一個iframe頁面,提交代碼如下:
1.//有return false,不會真實提交,只會執行函數
2.[HTML_REMOVED]
(2)JS進行處理
由本頁面的JS代碼進行處理,實現代碼如下:
1.TiFlash = {
2. //這個地方判定是否是IE,方法不錯
3. IE: (!!(window.attachEvent && !window.opera)),
4. validAddrPrefixs: parent.PageData.editor.flashWhiteList,
5. accept: function(){
6. try {
7. var editor = parent.BdeText;
8. var whiteList = this.validAddrPrefixs;
9.
10.//判定是不是在白名單中
11. var isInWhiteList = function(url){
12. for (var i = 0, j = whiteList.length; i < j; i++) {
13. if (url.indexOf(whiteList[i]) == 0)
14. return true;
15. }
16. return false;
17. }
18.//bde_flash_url是輸入的URL
19.//替換http://http:// 處理用戶輸入的
20. var flash_url_value = document.getElementById('bde_flash_url').value.trim().replace(/^http://http:///g, "http://");
21.//進行了詳細處理
22.//對一些特定的URL進行了轉換
23.//可以參見這里面的函數
24.//http://static.tieba.baidu.com/tb/nocache/post_video_url.js?v=201104081509
25.//主要是處理一些特定的URL和一些帶屬性的參數(自動播放)
26. flash_url_value = Post_Video_URL.convert(flash_url_value);
27.//如果沒有以http協議開頭的,前面添加個http://
28. var urlexp = /^(https://|http://|ftp://|rtsp://|mms://)/;
29. if (!(urlexp.test(flash_url_value.toLowerCase()))) {
30. flash_url_value = "http://" + flash_url_value;
31. }
32.//全部轉為小寫字母
33. var lower_url = flash_url_value.toLowerCase();
34.//如果沒填寫就報錯
35. if (lower_url.length <= 0 ||
36. lower_url == "https://" ||
37. lower_url == "http://" ||
38. lower_url == "ftp://" ||
39. lower_url == "rtsp://" ||
40. lower_url == "mms://") {
41. this.showError("視頻鏈接不能為空");
42. return false;
43. }
44.//如果是以下面這類結尾的,輸入錯誤
45. urlexp = /(.html|.htm|.shtml|.xml|.jpg|.jpeg|.bmp|.png|.gif|.tif)$/;
46. if (flash_url_value.getByteLength() > editor.urlLength || urlexp.test(lower_url)) {
47. this.showError("輸入鏈接有誤,請重試");
48. return false;
49. }
50.//如果不是白名單的,出錯
51. if (!isInWhiteList(flash_url_value)) {
52. this.showError("對不起,您輸入的視頻鏈接無效,請重試");
53. return false;
54. }
55. editor.closePopup();
56.//過濾URL中的參數
57. flash_url_value = Post_Video_URL.filter_param(flash_url_value);
58. this.execute(editor, flash_url_value);
59. }
60. catch (e) {
61. }
62. return false;
63. },
64. execute: function(editor, url){
65. var html = '';
66. var height = 450, width = 500;
67. //設置大小
68. if (url.toLowerCase().indexOf("baidu.com") > -1) {// 百度
69. width = 480;
70. height = 410;
71. }
72. else
73. if (url.toLowerCase().indexOf("player.video.qiyi.com") > -1) {// 奇異
74. width = 500;
75. height = 415;
76. }
77. else {// 酷6等其他網站的視頻
78. width = 500;
79. height = 450;
80. }
81.//IE的話設定屬性
82. if (this.IE) {
83. html = '[HTML_REMOVED]';
84. }
85. else {
86. html = '[HTML_REMOVED]';
87. }
88. //插入代碼
89. editor.paste(html);
90. editor.dispatch("oneditorselectionchange");
91. },
92. onFocusInput: function(){
93. document.getElementById('bde_flash_tip').innerHTML = "貼吧目前支持土豆、優酷、激動等多家視頻網站";
94. document.getElementById('bde_flash_tip').style.color = "#666666";
95. },
96. showError: function(msg){
97. document.getElementById('errorMsg').innerHTML = msg;
98. }
99. };
(3)其中的關鍵代碼
1.//處理一些比較重要的URL
2.//替換部分分析//
3.//http://static.tieba.baidu.com/tb/nocache/post_video_url.js?v=201104081509
4.var Post_Video_URL = {
5. convert_urls : [
6. [/http://my.tv.sohu.com/u/vw/([0-9a-zA-Z_]*)$/ig, 'http://my.tv.sohu.com/fo/v4/$1/my.swf'],
7. [/http://client.joy.cn/flvplayer/([0-9a-zA-Z]*)_([0-9]*)_[1-9]*_([0-9]*).swf$/ig,
8.'http://client.joy.cn/flvplayer/$1_$2_0_$3.swf'],
9. [/http://www.56.com/u([0-9]*)/v_([0-9a-zA-Z_]*).html$/ig, 'http://player.56.com/v_$2.swf'],
10. [/http://www.56.com/w([0-9]*)/play_album-aid-([0-9]*)_vid-([0-9a-zA-Z_]*).html$/ig, 'http://player.56.com/v_$3.swf'],
11. [/http://www.letv.com/ptv/vplay/([0-9a-zA-Z_]*).html$/ig, 'http://www.letv.com/player/x$1.swf'],
12. [/http://www.aipai.com/([a-z]*)([0-9]*)/([0-9a-zA-Z]*).html$/ig, 'http://www.aipai.com/$1$2/$3/playerOut.swf'],
13. [/http://mv.molihe.com/show/([0-9]*)$/ig, 'http://mv.molihe.com/molihe_play-1-$1.swf'],
14. [/http://www.tudou.com/programs/view/([0-9a-zA-Z]*)/?$/ig, 'http://www.tudou.com/v/$1/v.swf'],
15. [/http://www.boosj.com/([0-9]*).html$/ig, 'http://static.boosj.com/v/swf/w_player1.0_$1.swf'],
16. [/(http://share.vrs.sohu.com/[0-9a-zA-Z_]*/v.swf)(S*)$/ig, '$1&autoplay=false']
17. ],
18. auto_params : [
19. // web site domain, param name, param exp, default stop value
20. ['client.joy.cn', 'playstatus', /playstatus=/ig, '0']
21.
22. ],
23. convert : function(url){
24. // ['mv.molihe.com', 'ispause', /ispause=/ig, '1']
25. var s = this.convert_urls;
26. //將符合前面這種規則的進行替換,然后返回處理的URL
27. for(var i=0;i[HTML_REMOVED]-1){
28. flash_url_value = flash_url_value.replace(p[2], 'old_invalid=');
29. flash_url_value += (flash_url_value.indexOf('?') > -1 ? '&' : '?') + p[1] + '=' + p[3];
30. }
31. }
32. return flash_url_value;
33. }
34.};
(4)白名單
1.editor : {"imageLimite":10,"flashLimite":10,"flashWhiteList":
2.["http://www.tudou.com/v/","http://www.tudou.com/player/playlist.swf?lid=",
3."http://6.cn/p/","http://player.ku6.com/refer/",
4."http://img.ku6.com/common/V2.0.baidu.swf?vid=","http://tv.mofile.com/cn/xplayer.swf?v=",
5."http://v.blog.sohu.com/fo/v4/","http://v.blog.sohu.com/fo/p4/",
6."http://vhead.blog.sina.com.cn/player/outer_player.swf?","http://img.openv.tv/hd/swf/hd_player.swf?pid=",
7."http://www.cnboo.com/flash/player.swf?ids=","http://video.pomoho.com/swf/out_player.swf?flvid=",
8."http://video.cctv.com/flash/cctv_player.swf?VideoID=","http://misc.home.news.cn/video/swf/VideoDisplay.swf?videoSource=",
9."http://mv.baidu.com/export/flashplayer.swf?playlist=","http://mv.baidu.com/export/flashplayer.swf?vid=",
10."http://client.joy.cn/flvplayer/","http://static.tieba.baidu.com/tb/flash/",
11."http://player.youku.com/player.php/sid/","http://player.video.qiyi.com/",
12."http://player.xiyou.cntv.cn/","http://player.cntv.cn/",
13."http://www.letv.com/player","http://www.aipai.com/c",
14."http://www.aipai.com/b","http://mv.molihe.com/molihe_play-1-",
15."http://my.tv.sohu.com/fo/v4/","http://share.vrs.sohu.com/",
16."http://www.hualu5.com/swf/","http://player.56.com/v",
17."http://player.56.com/cpm","http://www.tudou.com/l"]}
18.};