r106526 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r106525‎ \| r106526 \| r106527 >
Date:	20:10, 17 December 2011
Author:	petrb
Status:	deferred
Tags:
Comment:	fixed evil searches from potential hackers
Modified paths:	/trunk/tools/wmib/Core.cs (modified) (history)

Diff [purge]

Index: trunk/tools/wmib/Core.cs
—	—	@@ -16,7 +16,25 @@
17	17
18	18	namespace wmib
19	19	{
20		~~- public static class irc~~
	20	+ public class misc
	21	+ {
	22	+ public static bool IsValidRegex(string pattern)
	23	+ {
	24	+ if (pattern == null) return false;
	25	+
	26	+ try
	27	+ {
	28	+ System.Text.RegularExpressions.Regex.Match("", pattern);
	29	+ }
	30	+ catch (ArgumentException)
	31	+ {
	32	+ return false;
	33	+ }
	34	+
	35	+ return true;
	36	+ }
	37	+ }
	38	+ public class irc
21	39	{
22	40	private static System.Net.Sockets.NetworkStream data;
23	41	public static System.Threading.Thread dumphtmt;
—	—	@@ -53,6 +71,48 @@
54	72	}
55	73	}
56	74
	75	+ public class RegexCheck
	76	+ {
	77	+ public string value;
	78	+ public string regex;
	79	+ public bool searching;
	80	+ public bool result = false;
	81	+ public RegexCheck(string Regex, string Data)
	82	+ {
	83	+ result = false;
	84	+ value = Data;
	85	+ regex = Regex;
	86	+ }
	87	+ private void Run()
	88	+ {
	89	+ System.Text.RegularExpressions.Regex c = new System.Text.RegularExpressions.Regex(regex);
	90	+ result = c.Match(value).Success;
	91	+ searching = false;
	92	+ }
	93	+ public int IsMatch()
	94	+ {
	95	+ System.Threading.Thread quick = new System.Threading.Thread(new System.Threading.ThreadStart(Run));
	96	+ searching = true;
	97	+ quick.Start();
	98	+ int check = 0;
	99	+ while (searching)
	100	+ {
	101	+ check++;
	102	+ System.Threading.Thread.Sleep(10);
	103	+ if (check > 50)
	104	+ {
	105	+ quick.Abort();
	106	+ return 2;
	107	+ }
	108	+ }
	109	+ if (result)
	110	+ {
	111	+ return 1;
	112	+ }
	113	+ return 0;
	114	+ }
	115	+ }
	116	+
57	117	public class IRCTrust
58	118	{
59	119	/// <summary>
—	—	@@ -112,13 +172,8 @@
113	173
114	174	public static string normalize(string name)
115	175	{
116		~~- name = name.Replace("\|", "\\\|");~~
117		~~- name = name.Replace("]", "\\]");~~
118		~~- name = name.Replace("[", "\\[");~~
119		~~- name = name.Replace("\\", "\\\\");~~
120		~~- name = name.Replace("^", "\\^");~~
121		~~- name = name.Replace("{", "\\{");~~
122		~~- name = name.Replace("}", "\\}");~~
	176	+ name = System.Text.RegularExpressions.Regex.Escape(name);
	177	+ name = name.Replace("?", "\\?");
123	178	return name;
124	179	}
125	180
—	—	@@ -130,6 +185,10 @@
131	186	/// <returns></returns>
132	187	public bool addUser(string level, string user)
133	188	{
	189	+ if (!misc.IsValidRegex(user))
	190	+ {
	191	+ return false;
	192	+ }
134	193	foreach (user u in Users)
135	194	{
136	195	if (u.name == user)
—	—	@@ -197,8 +256,8 @@
198	257	int current = 0;
199	258	foreach (user b in Users)
200	259	{
201		~~- System.Text.RegularExpressions.Regex id = new System.Text.RegularExpressions.Regex(b.name);~~
202		~~- if (id.Match(user).Success)~~
	260	+ RegexCheck id = new RegexCheck(b.name, user);
	261	+ if (id.IsMatch() == 1)
203	262	{
204	263	if (getLevel(b.level) > current)
205	264	{
—	—	@@ -345,6 +404,8 @@
346	405	/// Channel name
347	406	/// </summary>
348	407	public string Channel;
	408	+ private bool running;
	409	+ private string search_key;
349	410	/// <summary>
350	411	/// Load it
351	412	/// </summary>
—	—	@@ -585,6 +646,28 @@
586	647	return true;
587	648	}
588	649
	650	+ private void StartSearch()
	651	+ {
	652	+ System.Text.RegularExpressions.Regex value = new System.Text.RegularExpressions.Regex(search_key, System.Text.RegularExpressions.RegexOptions.Compiled);
	653	+ string results = "";
	654	+ foreach (item data in text)
	655	+ {
	656	+ if (data.key == search_key \|\| value.Match(data.text).Success)
	657	+ {
	658	+ results = results + data.key + ", ";
	659	+ }
	660	+ }
	661	+ if (results == "")
	662	+ {
	663	+ Message("No results found! :\|", Channel);
	664	+ }
	665	+ else
	666	+ {
	667	+ Message("Results: " + results, Channel);
	668	+ }
	669	+ running = false;
	670	+ }
	671	+
589	672	/// <summary>
590	673	/// Search
591	674	/// </summary>
—	—	@@ -596,29 +679,33 @@
597	680	{
598	681	return;
599	682	}
	683	+ if (!misc.IsValidRegex(key))
	684	+ {
	685	+ Message("This is pretty bad regex", Chan.name);
	686	+ return;
	687	+ }
600	688	if (key.Length < 11)
601	689	{
602	690	Message("Could you please tell me what I should search for :P", Chan.name);
603	691	return;
604	692	}
605		~~- key = key.Substring(11);~~
606		~~- System.Text.RegularExpressions.Regex value = new System.Text.RegularExpressions.Regex(key);~~
607		~~- string results = "";~~
608		~~- foreach (item data in text)~~
	693	+ search_key = key.Substring(11);
	694	+ running = true;
	695	+ System.Threading.Thread th = new System.Threading.Thread(new System.Threading.ThreadStart(StartSearch));
	696	+ th.Start();
	697	+ int check = 1;
	698	+ while (running)
609	699	{
610		~~- if (data.key == key \|\| value.Match(data.text).Success)~~
	700	+ check++;
	701	+ System.Threading.Thread.Sleep(10);
	702	+ if (check > 80)
611	703	{
612		~~- results = results + data.key + ", ";~~
	704	+ th.Abort();
	705	+ Message("Search took more than 800 micro seconds try a better regex", Channel);
	706	+ running = false;
	707	+ return;
613	708	}
614	709	}
615		~~- if (results == "")~~
616		~~- {~~
617		~~- Message("No results found! :\|", Chan.name);~~
618		~~- }~~
619		~~- else~~
620		~~- {~~
621		~~- Message("Results: " + results, Chan.name);~~
622		~~- }~~
623	710	}
624	711
625	712	public void Find(string key, config.channel Chan)

Status & tagging log

01:15, 18 December 2011 Johnduhart (talk | contribs) changed the status of r106526 [removed: new added: deferred]