timthumb.php の脆弱性が直されたタイミング
http://blog.vaultpress.com/2011/08/02/vulnerability-found-in-timthumb/ で見つかった脆弱性の対応
$ svn diff -c 143 (svn)-[trunk:r143][~/lang/php/timthumb-read-only] Index: timthumb.php =================================================================== --- timthumb.php (revision 142) +++ timthumb.php (revision 143)@@ -665,7 +665,7 @@ $isAllowedSite = false; foreach ($allowedSites as $site) { - if (strpos (strtolower ($url_info['host']), $site) !== false) { + if (strpos (strtolower ($url_info['host'] . '/'), $site) !== false) { $isAllowedSite = true; } }
define ('VERSION', '1.33'); // version number (to force a cache refresh)
$ svn log -r 143 (svn)-[trunk:r143][~/lang/php/timthumb-read-only] ------------------------------------------------------------------------ r143 | binarymoon@gmail.com | 2011-08-02 17:33:10 +0900 (火, 02 8 2011) | 1 line stronger website domain checks (don't allow http://wordpress.com.hacker.com/) ------------------------------------------------------------------------
ここで対策が取られている
$ svn log -r 144 (svn)-[trunk:r143][~/lang/php/timthumb-read-only] ------------------------------------------------------------------------ r144 | binarymoon@gmail.com | 2011-08-02 18:41:38 +0900 (火, 02 8 2011) | 1 line even stronger website domain name checks for clean domains ------------------------------------------------------------------------
$ svn diff -c 144 (svn)-[trunk:r191][~/lang/php/timthumb-read-only] Index: timthumb.php =================================================================== --- timthumb.php (revision 143) +++ timthumb.php (revision 144) @@ -14,7 +14,7 @@ define ('CACHE_CLEAR', 20); // maximum number of files to delete on each cache clear define ('CACHE_USE', TRUE); // use the cache files? (mostly for testing) define ('CACHE_MAX_AGE', 864000); // time to cache in the browser -define ('VERSION', '1.33'); // version number (to force a cache refresh) +define ('VERSION', '1.34'); // version number (to force a cache refresh) define ('DIRECTORY_CACHE', './cache'); // cache directory define ('MAX_WIDTH', 1500); // maximum image width define ('MAX_HEIGHT', 1500); // maximum image height @@ -656,6 +656,8 @@ } } + $isAllowedSite = false; + // check allowed sites (if required) if (ALLOW_EXTERNAL) { @@ -663,9 +665,8 @@ } else { - $isAllowedSite = false; foreach ($allowedSites as $site) { - if (strpos (strtolower ($url_info['host'] . '/'), $site) !== false) { + if (preg_match ('/(?:^|\.)' . $site . '$/i', $url_info['host'])) { $isAllowedSite = true; } }
r144 でも対応が取られているが正規表現を使ったりして、苦心が伺える。
ちなみに現在 (20111130 現在、version 2.8.3、r191) は正規表現を使ってない。
基本的には version 1.33 以降の timthumb.php であれば問題ないといえる。
参考
