[geeklog-cvs] geeklog: Fixed SQL injection exploit in usersettings.php
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sat Apr 18 07:23:25 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/bf1cdc081217
changeset: 6953:bf1cdc081217
user: vinny
date: Fri Apr 17 14:42:28 2009 -0600
description:
Fixed SQL injection exploit in usersettings.php
diffstat:
1 file changed, 16 insertions(+), 6 deletions(-)
public_html/usersettings.php | 22 ++++++++++++++++------
diffs (51 lines):
diff -r fd8a6d903a70 -r bf1cdc081217 public_html/usersettings.php
--- a/public_html/usersettings.php Mon Apr 13 16:46:20 2009 +0200
+++ b/public_html/usersettings.php Fri Apr 17 14:42:28 2009 -0600
@@ -1345,23 +1345,33 @@
}
}
- $TIDS = @array_values($A[$_TABLES['topics']]);
- $AIDS = @array_values($A['selauthors']);
- $BOXES = @array_values($A["{$_TABLES['blocks']}"]);
- $ETIDS = @array_values($A['etids']);
+ $TIDS = @array_values($A[$_TABLES['topics']]); // array of strings
+ $AIDS = @array_values($A['selauthors']); // array of integers
+ $BOXES = @array_values($A["{$_TABLES['blocks']}"]); // array of integers
+ $ETIDS = @array_values($A['etids']); // array of strings
+ $AETIDS = USER_getAllowedTopics(); // array of strings (fetched, needed to "clean" $TIDS and $ETIDS)
$tids = '';
if (sizeof ($TIDS) > 0) {
- $tids = addslashes (implode (' ', $TIDS));
+ // the array_intersect mitigates the need to scrub the TIDS input
+ $tids = addslashes (implode (' ', array_intersect ($AETIDS, $TIDS)));
}
$aids = '';
if (sizeof ($AIDS) > 0) {
+ // Scrub the AIDS array to prevent SQL injection and bad values
+ foreach ($AIDS as $key => $val) {
+ $AIDS[$key] = COM_applyFilter($val, true);
+ }
$aids = addslashes (implode (' ', $AIDS));
}
$selectedblocks = '';
if (count ($BOXES) > 0) {
+ // Scrub the BOXES array to prevent SQL injection and bad values
+ foreach ($BOXES as $key => $val) {
+ $BOXES[$key] = COM_applyFilter($val, true);
+ }
$boxes = addslashes (implode (',', $BOXES));
$blockresult = DB_query("SELECT bid,name FROM {$_TABLES['blocks']} WHERE bid NOT IN ($boxes)");
@@ -1379,7 +1389,7 @@
$etids = '';
if (sizeof ($ETIDS) > 0) {
- $AETIDS = USER_getAllowedTopics();
+ // the array_intersect mitigates the need to scrub the ETIDS input
$etids = addslashes (implode (' ', array_intersect ($AETIDS, $ETIDS)));
}
More information about the geeklog-cvs
mailing list