MTで学ぶセキュアプログラミング@MT Tokyo
88
-
Upload
- -
Category
Technology
-
view
662 -
download
2
description
MT東京 8月 テーマセキュリティのセッション
Transcript of MTで学ぶセキュアプログラミング@MT Tokyo
- 1. MT MT Tokyo 2014 August [email protected]
2. ? 3. ? 4. ? MTML Movable Type MT MT 5. 6. 7. > 8. : PHP 9. PHP 10. ? 11. ( ) = 12. ? ? 13. ? ( ) ()=> 14. Vs. 15. ? 16. 17. ? () 18. AllowPHPScript 0 PowerCMS(DynamicMTML)... 19. PowerCMS(DynamicMTML)... 20. function strip_php( $source ) {! $tokens = token_get_all( $source );! $res = '';! $inphp = FALSE;! foreach ( $tokens as $token ) {! if ( is_string( $token ) ) {! $token = array( '', $token );! }! list( $id, $str ) = $token;! if (! $inphp ) {! if ( $id === T_OPEN_TAG or $id == T_OPEN $inphp = TRUE;! } else {! $res .= $str;! }! PHPPHP 21. 22. XSS = Cross Site Scripting CSRF = Cross site request forgeries SQL (OS Command) Injection Directory traversal 23. : 24. : 25. : 26. : 27. : sub load_core_tags {! require MT::Template::Context;! return {! function => {! SearchString => &_hdlr_search_string,! ...! ! sub _hdlr_search_string! { $_[0]->stash('search_string') || '' } package MT::Template::Context::Search;! 28. : sub prepare_context {! my $app = shift;! my $q = $app->param;! ...! if ( my $str = $app->{search_string} ) {! $ctx->stash(! 'search_string', encode_html($str) );! } package MT::App::Search;! 29. !() 30. : ...! ! sub context_script {! my ( $ctx, $args, $cond ) = @_;! ! my $search_string! = decode_html($ctx->stash('search_string') package MT::Template::Context::Search;! ! 31. ? ? 32. () 33. ... 34. ... 35. 36. 37. $q = $_GET[search];! $sql = SELECT FROM mt_entry WHERE! mt_entry.entry_title LIKE % ${q}% : PHP 38. APIOR 39. my $app = MT->instance;! my $q = $app->param(search);! my @entries = MT- >model(entry)! ->load( {! title => { like => $q }, ! } ) : Perl 40. $app = $ctx- >stash(bootstrapper);! $q = $app->param(search);! $entries = $app->! load(entry,! array( title => ! array( like => $q ))); : PHP(DynamicMTML) 41. var q = jQuery('#search').value;! var params = {! search: q,! searchFields: "title,body",! };! api.listEntries(siteId, params, function(response) {! if (response.error) {! return;! }! : JavaScript 42. w 43. ! 44. 45. applications:! cms:! menus:! page:page_foo:! label: Foo! order: 1000! mode: page_foo! permission: manage_pages! view:! - blog! - website! : Plugin 46. : Plugin methods:! page_foo: $Foo::Foo::CMS:: page_foo! package Foo::CMS! ! sub page_foo {! my $app = shift;! # Do Something! param; my $type = $q->param('_type'); my $save_mode = 'save_' . $type; if ( my $hdlrs = $app->handlers_for_mode($save_mode) ) { return $app->forward($save_mode);} my $id = $q->param('id'); $app->validate_magic() or return; my $author = $app->user; my $perms = $app->permissions; if ( !$author->is_superuser ) { if ( ( $type ne 'author' ) && ( $type ne 'template' ) ){ return return $app->permission_denied() if !$perms && $id; } $app->run_callbacks( 'cms_save_permission_lter.' . $type, $app, $id ) || return $app->permission_denied(); } # MT::CMS::Common::save() magic_token save_foo forward cms_save_permission_lter.foo1 52. 53. = ? 54. 55. 56. package MT::App::CMS; 57. GET() package Foo::CMS! ! sub page_foo {! my $app = shift;! if ( $app->request_method ne POST ) { ! return $app->permission_denied();! }! #Do Something! } POST 58. package Foo::CMS! ! sub page_foo {! my $app = shift;! if $app->validate_magic! or return $app->permission_denied();! }! #Do Something! } magic_token 59. magic_token= session savedelete! ()magic_token ID/Password delete 60. magic_token= session savedelete! ()magic_token ID/Password delete 61. 62. CSRF? mt.cgi?__mode=save&_type=foo&title=Title... ! URL 63. if $app->validate_magic(! { with_confirm! => { message =>! FooBar ?,! icon => CAUTION! } } )! or return $app->trans_error...! }! 64. () if $app->validate_magic! ( FooBar? )! or return $app->trans_error...! }! 65. () FooBar ? 66. UX! 67. 68. package Foo::CMS! ! sub page_foo {! my $app = shift;! my $perms = $app->permissions! or return $app->permission_denied();! return $app->permission_denied()! unless $perms! ->can_do('edit_all_pages');! #Do Something! } + 69. 70. sub some_action{ my $app= shift; require MT::Page; my $blog = app->blog; my $page = MT::Page->load( $app->param( 'id' ) ); if (! $page ) { return $app->translate( 'Invalid Page ID:[_1].', $app->param( 'id' ) ); } my $perm = $app->user->is_superuser; if (! $perm ) { $perm = $app->user->permissions( $blog->id )->can_administer_website $perm = $app->user->permissions( $blog->id )->can_administer_blog unless $perm; $perm = $app->user->permissions( $blog->id )->can_manage_pages unless $perm; } if (! $perm ) { return $app->translate( 'Permission denied.' ); } # $page} 71. 1.id 2.idpage entryid 3.id 4.idblogentry/ pageid 72. sub some_action{ my $app= shift; require MT::Page; my $blog = app->blog; my $page = MT::Page->load( $app->param( 'id' ) ); if (! $page ) { return $app->translate( 'Invalid Page ID:[_1].', $app->param( 'id' ) ); } my $perm = $app->user->is_superuser; if (! $perm ) { $perm = $app->user->permissions( $blog->id )->can_administer_website $perm = $app->user->permissions( $blog->id )->can_administer_blog unless $perm; $perm = $app->user->permissions( $blog->id )->can_manage_pages unless $perm; } if (! $perm ) { return $app->translate( 'Permission denied.' ); } # $page} mt.cgi?__mode=some_action&id= id=1&blog_id=3 id:1pageblog_id 3? id?EntryID? ! 73. 74. sub some_action { my $app = shift; $app->validate_magic( FooBar? ) or return $app->trans_error( 'Permission denied.' ); require MT::Page; my $page; if (! $app->param( 'id' ) || (! $page = MT::Page->load( $app->param( 'id' ) ) ) { return $app->trans_error( 'Invalid Page ID:'[_1]'', MT::Util::encode_html( $app->param( 'id' ) ) ); } if ( $page->class ne 'page' ) { return $app->trans_error( 'Invalid Class:'[_1]'', $page->class ); } # permission check case 1 if ( $app->blog->id != $page->blog_id ) { return $app->trans_error( 'Invalid BlogID:'[_1]'', MT::Util::encode_html( $app->blog->id ) ); } # magic_token Entry ID () ! 75. if (! $app->can_do( 'manage_pages' ) ) { return $app->trans_error( 'Permission denied.' ); } # or case 2 my $perm = $app->user->is_superuser; if (! $perm ) { $perm = $app->user->permissions( $page->blog_id )-> can_administer_website; $perm = $app->user->permissions( $page->blog_id )-> can_administer_blog unless $perm; $perm = $app->user->permissions( $page->blog_id )-> can_manage_pages unless $perm; } if (! $perm ) { return $app->trans_error( 'Permission denied.' ); } if (! $app->run_callbacks( 'cms_save_permission_lter.page' $app, $page ) { return $app->trans_error( 'Permission denied.' ); } # Do Something.} $blog->id$page->blog_id 76. ... 77. 78. ( ) UX 79. SQLAPI 80.
