[geeklog-cvs] geeklog: Fixed SQL injection exploit in usersettings.php

geeklog-cvs at lists.geeklog.net geeklog-cvs at lists.geeklog.net
Sat Apr 18 07:23:25 EDT 2009 

details:   http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/bf1cdc081217
changeset: 6953:bf1cdc081217
user:      vinny
date:      Fri Apr 17 14:42:28 2009 -0600
description:
Fixed SQL injection exploit in usersettings.php

diffstat:

1 file changed, 16 insertions(+), 6 deletions(-)
public_html/usersettings.php |   22 ++++++++++++++++------

diffs (51 lines):

diff -r fd8a6d903a70 -r bf1cdc081217 public_html/usersettings.php
--- a/public_html/usersettings.php	Mon Apr 13 16:46:20 2009 +0200
+++ b/public_html/usersettings.php	Fri Apr 17 14:42:28 2009 -0600
@@ -1345,23 +1345,33 @@
         }
     }
 
-    $TIDS  = @array_values($A[$_TABLES['topics']]);
-    $AIDS  = @array_values($A['selauthors']);
-    $BOXES = @array_values($A["{$_TABLES['blocks']}"]);
-    $ETIDS = @array_values($A['etids']);
+    $TIDS  = @array_values($A[$_TABLES['topics']]);     // array of strings
+    $AIDS  = @array_values($A['selauthors']);           // array of integers
+    $BOXES = @array_values($A["{$_TABLES['blocks']}"]); // array of integers
+    $ETIDS = @array_values($A['etids']);                // array of strings
+    $AETIDS = USER_getAllowedTopics();                  // array of strings (fetched, needed to "clean" $TIDS and $ETIDS)
 
     $tids = '';
     if (sizeof ($TIDS) > 0) {
-        $tids = addslashes (implode (' ', $TIDS));
+        // the array_intersect mitigates the need to scrub the TIDS input
+        $tids = addslashes (implode (' ', array_intersect ($AETIDS, $TIDS)));
     }
 
     $aids = '';
     if (sizeof ($AIDS) > 0) {
+        // Scrub the AIDS array to prevent SQL injection and bad values
+        foreach ($AIDS as $key => $val) {
+            $AIDS[$key] = COM_applyFilter($val, true);
+        }
         $aids = addslashes (implode (' ', $AIDS));
     }
 
     $selectedblocks = '';
     if (count ($BOXES) > 0) {
+        // Scrub the BOXES array to prevent SQL injection and bad values
+        foreach ($BOXES as $key => $val) {
+            $BOXES[$key] = COM_applyFilter($val, true);
+        }
         $boxes = addslashes (implode (',', $BOXES));
 
         $blockresult = DB_query("SELECT bid,name FROM {$_TABLES['blocks']} WHERE bid NOT IN ($boxes)");
@@ -1379,7 +1389,7 @@
 
     $etids = '';
     if (sizeof ($ETIDS) > 0) {
-        $AETIDS = USER_getAllowedTopics();
+        // the array_intersect mitigates the need to scrub the ETIDS input
         $etids = addslashes (implode (' ', array_intersect ($AETIDS, $ETIDS)));
     }

More information about the geeklog-cvs mailing list