[geeklog-hg] geeklog: stricter input filtering in the Configuration (TWSL2013...

[geeklog-cvs at lists.geeklog.net]

changeset 8945:cbf8a343ef2e
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/cbf8a343ef2e
user: Dirk Haun <dirk at haun-online.de>
date: Sun Feb 17 13:27:01 2013 +0100
description:
stricter input filtering in the Configuration (TWSL2013-001)

diffstat:

 public_html/admin/configuration_validation.php |  27 ++++++++++++++++--
 system/classes/config.class.php                |  37 ++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 3 deletions(-)

diffs (137 lines):

diff -r e2f5e2768b48 -r cbf8a343ef2e public_html/admin/configuration_validation.php
--- a/public_html/admin/configuration_validation.php	Sun Feb 17 13:25:47 2013 +0100
+++ b/public_html/admin/configuration_validation.php	Sun Feb 17 13:27:01 2013 +0100
@@ -51,9 +51,9 @@
 $_CONF_VALIDATE['Core']['meta_tags'] = array('rule' => array('inList', array(0, 1, 2), false));
 $_CONF_VALIDATE['Core']['meta_description'] = array('rule' => 'stringOrEmpty');
 $_CONF_VALIDATE['Core']['meta_keywords'] = array('rule' => 'stringOrEmpty');
-$_CONF_VALIDATE['Core']['site_mail'] = array('rule' => 'email');
 
 /* Subgroup Site, Tab Mail */
+$_CONF_VALIDATE['Core']['site_mail'] = array('rule' => 'email');
 $_CONF_VALIDATE['Core']['noreply_mail'] = array('rule' => 'email');
 $_CONF_VALIDATE['Core']['mail_settings[backend]'] = array(
     'rule' => array('inList', array('smtp', 'sendmail', 'mail')),
@@ -77,6 +77,9 @@
 );
 $_CONF_VALIDATE['Core']['mail_settings[auth]'] = array('rule' => 'boolean');
 $_CONF_VALIDATE['Core']['mail_settings[username]'] = array('rule' => 'notEmpty');
+$_CONF_VALIDATE['Core']['mail_settings[password]'] = array('rule' => 'notEmpty');
+$_CONF_VALIDATE['Core']['cc_enabled'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['cc_default'] = array('rule' => 'boolean');
 
 /* Subgroup Site, Tab Syndication */
 $_CONF_VALIDATE['Core']['backend'] = array('rule' => 'boolean');
@@ -87,11 +90,14 @@
                  $LANG_VALIDATION['rdf_limit'] : $LANG_VALIDATION['default']
 );
 $_CONF_VALIDATE['Core']['rdf_storytext'] = array('rule' => 'numeric');
+$_CONF_VALIDATE['Core']['rdf_language'] = array('rule' => 'notEmpty');
 $_CONF_VALIDATE['Core']['syndication_max_headlines'] = array('rule' => 'numeric');
 $_CONF_VALIDATE['Core']['comment_feeds_article_tag'] = array('rule' => 'notEmpty');
 $_CONF_VALIDATE['Core']['comment_feeds_article_tag_position'] = array(
     'rule' => array('inList', array('start', 'end', 'none'), true)
-); 
+);
+$_CONF_VALIDATE['Core']['comment_feeds_article_author_tag'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['comment_feeds_comment_author_tag'] = array('rule' => 'stringOrEmpty');
 
 /* Subgroup Site, Tab Paths */
 $_CONF_VALIDATE['Core']['path_html'] = array(
@@ -158,6 +164,7 @@
 $_CONF_VALIDATE['Core']['search_show_sort'] = array('rule' => 'boolean');
 $_CONF_VALIDATE['Core']['search_show_num'] = array('rule' => 'boolean');
 $_CONF_VALIDATE['Core']['search_show_type'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['search_separator'] = array('rule' => 'string');
 $_CONF_VALIDATE['Core']['search_def_keytype'] = array(
     'rule' => array('inList', array('all', 'any', 'phrase'), true)
 );
@@ -195,7 +202,7 @@
 
 /* Subgroup Stories and Trackback, Tab Trackback */
 $_CONF_VALIDATE['Core']['trackback_enabled'] = array('rule' => 'boolean');
-$_CONF_VALIDATE['Core']['aftersave_story'] = array(
+$_CONF_VALIDATE['Core']['trackback_code'] = array(
     'rule' => array('inList', array(-1, 0), false)
 );
 $_CONF_VALIDATE['Core']['trackbackspeedlimit'] = array('rule' => 'numeric');
@@ -403,6 +410,12 @@
 );
 
 /* Subgroup Language, Tab Locale */
+$_CONF_VALIDATE['Core']['locale']     = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['date']       = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['daytime']    = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['shortdate']  = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['dateonly']   = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['timeonly']   = array('rule' => 'stringOrEmpty');
 $_CONF_VALIDATE['Core']['week_start'] = array(
     'rule' => array('inList', array('Mon', 'Sun'), true)
 );
@@ -471,6 +484,7 @@
 $_CONF_VALIDATE['Core']['censormode'] = array(
     'rule' => array('inList', array(0, 1, 2, 3), false)
 );
+$_CONF_VALIDATE['Core']['censorreplace'] = array('rule' => 'stringOrEmpty');
 
 /* Subgroup Misc, Tab Permissions */
 $_CONF_VALIDATE['Core']['default_permissions_story[0]'] = array(
@@ -546,4 +560,11 @@
 $_CONF_VALIDATE['Core']['restrict_webservices'] = array('rule' => 'boolean');
 $_CONF_VALIDATE['Core']['atom_max_stories'] = array('rule' => 'numeric');
 
+/* Subgroup Misc, Tab Topics */
+$_CONF_VALIDATE['Core']['multiple_breadcrumbs']         = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_topics']   = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_articles'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_plugins']  = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['breadcrumb_root_site_name']    = array('rule' => 'boolean');
+
 ?>
diff -r e2f5e2768b48 -r cbf8a343ef2e system/classes/config.class.php
--- a/system/classes/config.class.php	Sun Feb 17 13:25:47 2013 +0100
+++ b/system/classes/config.class.php	Sun Feb 17 13:27:01 2013 +0100
@@ -1600,6 +1600,43 @@
         if ( empty($this->validationErrors) ) {
             // only set if there is no validation error
             foreach ( $pass_validation as $param => $val ) {
+                if ($group === 'Core') {
+                    switch ($param) {
+                        case 'site_name':
+                        case 'site_slogan':
+                        case 'owner_name':
+                        case 'meta_description':
+                        case 'meta_keywords':
+                        case 'rdf_language':
+                        case 'locale':
+                        case 'date':
+                        case 'daytime':
+                        case 'shortdate':
+                        case 'dateonly':
+                        case 'timeonly':
+                        case 'cookie_session':
+                        case 'cookie_name':
+                        case 'cookie_password':
+                        case 'cookie_theme':
+                        case 'cookie_language':
+                        case 'cookie_tzid':
+                        case 'cookie_anon_name':
+                            $val = strip_tags($val);
+                            break;
+
+                        case 'site_disabled_msg':
+                        case 'comment_feeds_article_tag':
+                        case 'comment_feeds_article_author_tag':
+                        case 'comment_feeds_comment_author_tag':
+                        case 'search_separator':
+                            $val = COM_checkHTML($val);
+                            break;
+
+                        default:
+                            break;
+                    }
+                }
+
                 $this->set($param, $val, $group);
                 $success_array[$param] = true;
             }