百度贴吧flash过滤机制研究

  总体

  采用的白名单过滤机制,即只允许引入特定网站的URL,同时对特定的参数也进行了过滤,比如auto这类的自动播放属性。

  百度安全漏洞系列分析

  具体分析

  (1)URL提交

  嵌入了一个iframe页面,提交代码如下:

  1.//有return false,不会真实提交,只会执行函数

  2.[HTML_REMOVED]

  (2)JS进行处理

  由本页面的JS代码进行处理,实现代码如下:

  1.TiFlash = {

  2.    //这个地方判定是否是IE,方法不错

  3.             IE: (!!(window.attachEvent && !window.opera)),

  4.             validAddrPrefixs: parent.PageData.editor.flashWhiteList,

  5.             accept: function(){

  6.                 try {

  7.                     var editor = parent.BdeText;

  8.                     var whiteList = this.validAddrPrefixs;

  9.

  10.//判定是不是在白名单中

  11.                     var isInWhiteList = function(url){

  12.                         for (var i = 0, j = whiteList.length; i < j; i++) {

  13.                             if (url.indexOf(whiteList[i]) == 0)

  14.                                 return true;

  15.                         }

  16.                         return false;

  17.                     }

  18.//bde_flash_url是输入的URL

  19.//替换http://http:// 处理用户输入的

  20.                     var flash_url_value = document.getElementById('bde_flash_url').value.trim().replace(/^http://http:///g, "http://");

  21.//进行了详细处理

  22.//对一些特定的URL进行了转换

  23.//可以参见这里面的函数

  24.//http://static.tieba.baidu.com/tb/nocache/post_video_url.js?v=201104081509

  25.//主要是处理一些特定的URL和一些带属性的参数(自动播放)

  26.                     flash_url_value = Post_Video_URL.convert(flash_url_value);

  27.//如果没有以http协议开头的,前面添加个http://

  28.                     var urlexp = /^(https://|http://|ftp://|rtsp://|mms://)/;

  29.                     if (!(urlexp.test(flash_url_value.toLowerCase()))) {

  30.                         flash_url_value = "http://" + flash_url_value;

  31.                     }

  32.//全部转为小写字母

  33.                     var lower_url = flash_url_value.toLowerCase();

  34.//如果没填写就报错

  35.                     if (lower_url.length <= 0 ||

  36.                     lower_url == "https://" ||

  37.                     lower_url == "http://" ||

  38.                     lower_url == "ftp://" ||

  39.                     lower_url == "rtsp://" ||

  40.                     lower_url == "mms://") {

  41.                         this.showError("视频链接不能为空");

  42.                         return false;

  43.                     }

  44.//如果是以下面这类结尾的,输入错误

  45.                     urlexp = /(.html|.htm|.shtml|.xml|.jpg|.jpeg|.bmp|.png|.gif|.tif)$/;

  46.                     if (flash_url_value.getByteLength() > editor.urlLength || urlexp.test(lower_url)) {

  47.                         this.showError("输入链接有误,请重试");

  48.                         return false;

  49.                     }

  50.//如果不是白名单的,出错

  51.                     if (!isInWhiteList(flash_url_value)) {

  52.                         this.showError("对不起,您输入的视频链接无效,请重试");

  53.                         return false;

  54.                     }

  55.                     editor.closePopup();

  56.//过滤URL中的参数

  57.                     flash_url_value = Post_Video_URL.filter_param(flash_url_value);

  58.                     this.execute(editor, flash_url_value);

  59.                 }

  60.                 catch (e) {

  61.                 }

  62.                 return false;

  63.             },

  64.             execute: function(editor, url){

  65.                 var html = '';

  66.                 var height = 450, width = 500;

  67.   //设置大小

  68.                 if (url.toLowerCase().indexOf("baidu.com") > -1) {// 百度

  69.                     width = 480;

  70.                     height = 410;

  71.                 }

  72.                 else

  73.                     if (url.toLowerCase().indexOf("player.video.qiyi.com") > -1) {// 奇异

  74.                         width = 500;

  75.                         height = 415;

  76.                     }

  77.                     else {// 酷6等其他网站的视频

  78.                         width = 500;

  79.                         height = 450;

  80.                     }

  81.//IE的话设定属性

  82.                 if (this.IE) {

  83.                     html = '[HTML_REMOVED]';

  84.                 }

  85.                 else {

  86.                     html = '[HTML_REMOVED]';

  87.                 }

  88.                 //插入代码

  89.                 editor.paste(html);

  90.                 editor.dispatch("oneditorselectionchange");

  91.             },

  92.             onFocusInput: function(){

  93.                 document.getElementById('bde_flash_tip').innerHTML = "贴吧目前支持土豆、优酷、激动等多家视频网站";

  94.                 document.getElementById('bde_flash_tip').style.color = "#666666";

  95.             },

  96.             showError: function(msg){

  97.                 document.getElementById('errorMsg').innerHTML = msg;

  98.             }

  99.         };

  (3)其中的关键代码

  1.//处理一些比较重要的URL

  2.//替换部分分析//

  3.//http://static.tieba.baidu.com/tb/nocache/post_video_url.js?v=201104081509

  4.var Post_Video_URL = {

  5.    convert_urls : [

  6.       [/http://my.tv.sohu.com/u/vw/([0-9a-zA-Z_]*)$/ig, 'http://my.tv.sohu.com/fo/v4/$1/my.swf'],

  7.       [/http://client.joy.cn/flvplayer/([0-9a-zA-Z]*)_([0-9]*)_[1-9]*_([0-9]*).swf$/ig,

  8.'http://client.joy.cn/flvplayer/$1_$2_0_$3.swf'],

  9.       [/http://www.56.com/u([0-9]*)/v_([0-9a-zA-Z_]*).html$/ig, 'http://player.56.com/v_$2.swf'],

  10.       [/http://www.56.com/w([0-9]*)/play_album-aid-([0-9]*)_vid-([0-9a-zA-Z_]*).html$/ig, 'http://player.56.com/v_$3.swf'],

  11.       [/http://www.letv.com/ptv/vplay/([0-9a-zA-Z_]*).html$/ig, 'http://www.letv.com/player/x$1.swf'],

  12.       [/http://www.aipai.com/([a-z]*)([0-9]*)/([0-9a-zA-Z]*).html$/ig, 'http://www.aipai.com/$1$2/$3/playerOut.swf'],

  13.       [/http://mv.molihe.com/show/([0-9]*)$/ig, 'http://mv.molihe.com/molihe_play-1-$1.swf'],

  14.       [/http://www.tudou.com/programs/view/([0-9a-zA-Z]*)/?$/ig, 'http://www.tudou.com/v/$1/v.swf'],

  15.       [/http://www.boosj.com/([0-9]*).html$/ig, 'http://static.boosj.com/v/swf/w_player1.0_$1.swf'],

  16.       [/(http://share.vrs.sohu.com/[0-9a-zA-Z_]*/v.swf)(S*)$/ig, '$1&autoplay=false']

  17.    ],

  18.    auto_params : [

  19.        // web site domain, param name, param exp, default stop value

  20.        ['client.joy.cn', 'playstatus', /playstatus=/ig, '0']

  21.

  22.    ],

  23.    convert : function(url){

  24.        // ['mv.molihe.com', 'ispause', /ispause=/ig, '1']

  25.    var s = this.convert_urls;

  26.    //将符合前面这种规则的进行替换,然后返回处理的URL

  27.    for(var i=0;i[HTML_REMOVED]-1){

  28.            flash_url_value = flash_url_value.replace(p[2], 'old_invalid=');

  29.            flash_url_value += (flash_url_value.indexOf('?') > -1 ? '&' : '?') + p[1] + '=' + p[3];

  30.        }

  31.    }

  32.    return flash_url_value;

  33.    }

  34.};

  (4)白名单

  1.editor : {"imageLimite":10,"flashLimite":10,"flashWhiteList":

  2.["http://www.tudou.com/v/","http://www.tudou.com/player/playlist.swf?lid=",

  3."http://6.cn/p/","http://player.ku6.com/refer/",

  4."http://img.ku6.com/common/V2.0.baidu.swf?vid=","http://tv.mofile.com/cn/xplayer.swf?v=",

  5."http://v.blog.sohu.com/fo/v4/","http://v.blog.sohu.com/fo/p4/",

  6."http://vhead.blog.sina.com.cn/player/outer_player.swf?","http://img.openv.tv/hd/swf/hd_player.swf?pid=",

  7."http://www.cnboo.com/flash/player.swf?ids=","http://video.pomoho.com/swf/out_player.swf?flvid=",

  8."http://video.cctv.com/flash/cctv_player.swf?VideoID=","http://misc.home.news.cn/video/swf/VideoDisplay.swf?videoSource=",

  9."http://mv.baidu.com/export/flashplayer.swf?playlist=","http://mv.baidu.com/export/flashplayer.swf?vid=",

  10."http://client.joy.cn/flvplayer/","http://static.tieba.baidu.com/tb/flash/",

  11."http://player.youku.com/player.php/sid/","http://player.video.qiyi.com/",

  12."http://player.xiyou.cntv.cn/","http://player.cntv.cn/",

  13."http://www.letv.com/player","http://www.aipai.com/c",

  14."http://www.aipai.com/b","http://mv.molihe.com/molihe_play-1-",

  15."http://my.tv.sohu.com/fo/v4/","http://share.vrs.sohu.com/",

  16."http://www.hualu5.com/swf/","http://player.56.com/v",

  17."http://player.56.com/cpm","http://www.tudou.com/l"]}

  18.};

 

发表评论

邮箱地址不会被公开。 必填项已用*标注