[geeklog-hg] geeklog: sanitize site_name and site_slogan during installation ...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sun Feb 17 07:58:38 EST 2013
changeset 8944:e2f5e2768b48
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/e2f5e2768b48
user: Dirk Haun <dirk at haun-online.de>
date: Sun Feb 17 13:25:47 2013 +0100
description:
sanitize site_name and site_slogan during installation (TWSL2013-001)
diffstat:
public_html/admin/install/index.php | 17 +++++++++++++----
public_html/admin/install/lib-install.php | 14 ++++++++++++++
2 files changed, 27 insertions(+), 4 deletions(-)
diffs (64 lines):
diff -r 6c89d08563c6 -r e2f5e2768b48 public_html/admin/install/index.php
--- a/public_html/admin/install/index.php Sun Feb 17 11:20:17 2013 +0100
+++ b/public_html/admin/install/index.php Sun Feb 17 13:25:47 2013 +0100
@@ -497,14 +497,18 @@
INST_personalizeAdminAccount($site_mail, $site_url);
// Insert the form data into the conf_values table
+ $site_name = urldecode($site_name);
+ $site_name = INST_cleanString($site_name);
+ $site_slogan = urldecode($site_slogan);
+ $site_slogan = INST_cleanString($site_slogan);
require_once $_CONF['path_system'] . 'classes/config.class.php';
require_once 'config-install.php';
install_config();
$config = config::get_instance();
- $config->set('site_name', urldecode($site_name));
- $config->set('site_slogan', urldecode($site_slogan));
+ $config->set('site_name', $site_name);
+ $config->set('site_slogan', $site_slogan);
$config->set('site_url', urldecode($site_url));
$config->set('site_admin_url', urldecode($site_admin_url));
$config->set('site_mail', urldecode($site_mail));
@@ -600,10 +604,15 @@
$site_mail = isset($_POST['site_mail']) ? $_POST['site_mail'] : (isset($_GET['site_mail']) ? $_GET['site_mail'] : '') ;
$noreply_mail = isset($_POST['noreply_mail']) ? $_POST['noreply_mail'] : (isset($_GET['noreply_mail']) ? $_GET['noreply_mail'] : '') ;
+ $site_name = urldecode($site_name);
+ $site_name = INST_cleanString($site_name);
+ $site_slogan = urldecode($site_slogan);
+ $site_slogan = INST_cleanString($site_slogan);
+
require_once $_CONF['path_system'] . 'classes/config.class.php';
$config = config::get_instance();
- $config->set('site_name', urldecode($site_name));
- $config->set('site_slogan', urldecode($site_slogan));
+ $config->set('site_name', $site_name);
+ $config->set('site_slogan', $site_slogan);
$config->set('site_url', urldecode($site_url));
$config->set('site_admin_url', urldecode($site_admin_url));
$config->set('site_mail', urldecode($site_mail));
diff -r 6c89d08563c6 -r e2f5e2768b48 public_html/admin/install/lib-install.php
--- a/public_html/admin/install/lib-install.php Sun Feb 17 11:20:17 2013 +0100
+++ b/public_html/admin/install/lib-install.php Sun Feb 17 13:25:47 2013 +0100
@@ -1354,4 +1354,18 @@
return $retval;
}
+/**
+* Returns a cleaned string
+*
+* @param string $str
+* @return string
+*/
+function INST_cleanString($str)
+{
+ $str = preg_replace('/[[:cntrl:]]/', '', $str);
+ $str = strip_tags($str);
+
+ return $str;
+}
+
?>
More information about the geeklog-cvs
mailing list