• Welcome to Simple Machines Community Forum. Please login or sign up.

Empty BBC tags can be used to bypass censor list

Started by Douglas, January 25, 2016, 09:44:03 AM

Previous topic - Next topic

Douglas

This was brought up in the past, but nothing was done to really address it. Please forgive me for intentionally bypassing SMF's censor list, but I need to show an example here.

******
shit

If you quote my post, you'll see how I bypassed the censor list. Long story short, someone can use any empty BBC code to bypass the censor list.

Luckily for everyone, the fix to this is easy to implement on posts going forward (it can't address and previous posts made with the bypass in place).

In $sourcedir/Subs-Post.php

Search for (approximately line 371): // Now let's quickly clean up things that will slow our parser (which are common in posted code.)
$message = strtr($message, array('[]' => '[]', '['' => '[''));


Add a blank line after that, and then drop this in: // Remove empty bbc.
$message = preg_replace('~\[([^\]]+)\]\[/\1\]~i', '', $message);


This is how mine looks: // Put it back together!
if (!$previewing)
$message = strtr(implode('', $parts), array('  ' => '&nbsp; ', "\n" => '<br />', $context['utf8'] ? "\xC2\xA0" : "\xA0" => '&nbsp;'));
else
$message = strtr(implode('', $parts), array('  ' => '&nbsp; ', $context['utf8'] ? "\xC2\xA0" : "\xA0" => '&nbsp;'));

// Now let's quickly clean up things that will slow our parser (which are common in posted code.)
$message = strtr($message, array('[]' => '&#91;]', '[&#039;' => '&#91;&#039;'));

// DLH Remove empty bbc.
$message = preg_replace('~\[([^\]]+)\]\[/\1\]~i', '', $message);
}


Problem solved. Since this is a really easy fix, I'm hoping we can get this implemented on ALL SMF releases going forward.
Doug Hazard
* Full Stack (Web) Developer for The Catholic Diocese of Richmond
(20+ Diocesan sites, 130+ Church sites & 24 School sites)
* Sports Photographer and Media Personality
* CFB Historian
* Tech Admin for one 1M+ post, one 2M+ post and one 10M+ post sites (last two are powered by multiple servers)
* WordPress Developer (Junkie)

Suki

Thank you for your report, it doesn't affect SMF 2.1 due to a change on how censorText() works, will back-port that change to 2.0.x
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

Making tough decisions, so you don't have to.

Douglas

Appreciate it, Suki!

BTW, you can also nestle empty tags inside of empty tags inside of empty tags, etc etc etc (wash, rinse, repeat) to continue to bypass the filter, so the preg_replace string might need to be adjusted (or repeated) to accommodate for that. :)
Doug Hazard
* Full Stack (Web) Developer for The Catholic Diocese of Richmond
(20+ Diocesan sites, 130+ Church sites & 24 School sites)
* Sports Photographer and Media Personality
* CFB Historian
* Tech Admin for one 1M+ post, one 2M+ post and one 10M+ post sites (last two are powered by multiple servers)
* WordPress Developer (Junkie)

qc

There are probably thousand more ways to circumvent the censor list. Just think of the UTF-8 zero width space, transparent single pixel gifs, image based fonts or all kinds of character modifiers squeezed in between your censored word. Instead of fighting against windmills here I recommend backporting other, perhaps more useful bugfixes into the current stable release :D

PS: The censoring problem is a political one which may require a political solution, e.g. making circumventing the filter a bannable offense
Playing quizduell? Having quizduell questions? Our german quizduell forum quizcommunity.de is looking for quiz freaks to come and play quizduell with us :)

Advertisement: