[geeklog-hg] geeklog: stricter input filtering in the Configuration (TWSL2013...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sun Feb 17 07:58:39 EST 2013
changeset 8945:cbf8a343ef2e
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/cbf8a343ef2e
user: Dirk Haun <dirk at haun-online.de>
date: Sun Feb 17 13:27:01 2013 +0100
description:
stricter input filtering in the Configuration (TWSL2013-001)
diffstat:
public_html/admin/configuration_validation.php | 27 ++++++++++++++++--
system/classes/config.class.php | 37 ++++++++++++++++++++++++++
2 files changed, 61 insertions(+), 3 deletions(-)
diffs (137 lines):
diff -r e2f5e2768b48 -r cbf8a343ef2e public_html/admin/configuration_validation.php
--- a/public_html/admin/configuration_validation.php Sun Feb 17 13:25:47 2013 +0100
+++ b/public_html/admin/configuration_validation.php Sun Feb 17 13:27:01 2013 +0100
@@ -51,9 +51,9 @@
$_CONF_VALIDATE['Core']['meta_tags'] = array('rule' => array('inList', array(0, 1, 2), false));
$_CONF_VALIDATE['Core']['meta_description'] = array('rule' => 'stringOrEmpty');
$_CONF_VALIDATE['Core']['meta_keywords'] = array('rule' => 'stringOrEmpty');
-$_CONF_VALIDATE['Core']['site_mail'] = array('rule' => 'email');
/* Subgroup Site, Tab Mail */
+$_CONF_VALIDATE['Core']['site_mail'] = array('rule' => 'email');
$_CONF_VALIDATE['Core']['noreply_mail'] = array('rule' => 'email');
$_CONF_VALIDATE['Core']['mail_settings[backend]'] = array(
'rule' => array('inList', array('smtp', 'sendmail', 'mail')),
@@ -77,6 +77,9 @@
);
$_CONF_VALIDATE['Core']['mail_settings[auth]'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['mail_settings[username]'] = array('rule' => 'notEmpty');
+$_CONF_VALIDATE['Core']['mail_settings[password]'] = array('rule' => 'notEmpty');
+$_CONF_VALIDATE['Core']['cc_enabled'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['cc_default'] = array('rule' => 'boolean');
/* Subgroup Site, Tab Syndication */
$_CONF_VALIDATE['Core']['backend'] = array('rule' => 'boolean');
@@ -87,11 +90,14 @@
$LANG_VALIDATION['rdf_limit'] : $LANG_VALIDATION['default']
);
$_CONF_VALIDATE['Core']['rdf_storytext'] = array('rule' => 'numeric');
+$_CONF_VALIDATE['Core']['rdf_language'] = array('rule' => 'notEmpty');
$_CONF_VALIDATE['Core']['syndication_max_headlines'] = array('rule' => 'numeric');
$_CONF_VALIDATE['Core']['comment_feeds_article_tag'] = array('rule' => 'notEmpty');
$_CONF_VALIDATE['Core']['comment_feeds_article_tag_position'] = array(
'rule' => array('inList', array('start', 'end', 'none'), true)
-);
+);
+$_CONF_VALIDATE['Core']['comment_feeds_article_author_tag'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['comment_feeds_comment_author_tag'] = array('rule' => 'stringOrEmpty');
/* Subgroup Site, Tab Paths */
$_CONF_VALIDATE['Core']['path_html'] = array(
@@ -158,6 +164,7 @@
$_CONF_VALIDATE['Core']['search_show_sort'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['search_show_num'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['search_show_type'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['search_separator'] = array('rule' => 'string');
$_CONF_VALIDATE['Core']['search_def_keytype'] = array(
'rule' => array('inList', array('all', 'any', 'phrase'), true)
);
@@ -195,7 +202,7 @@
/* Subgroup Stories and Trackback, Tab Trackback */
$_CONF_VALIDATE['Core']['trackback_enabled'] = array('rule' => 'boolean');
-$_CONF_VALIDATE['Core']['aftersave_story'] = array(
+$_CONF_VALIDATE['Core']['trackback_code'] = array(
'rule' => array('inList', array(-1, 0), false)
);
$_CONF_VALIDATE['Core']['trackbackspeedlimit'] = array('rule' => 'numeric');
@@ -403,6 +410,12 @@
);
/* Subgroup Language, Tab Locale */
+$_CONF_VALIDATE['Core']['locale'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['date'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['daytime'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['shortdate'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['dateonly'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['timeonly'] = array('rule' => 'stringOrEmpty');
$_CONF_VALIDATE['Core']['week_start'] = array(
'rule' => array('inList', array('Mon', 'Sun'), true)
);
@@ -471,6 +484,7 @@
$_CONF_VALIDATE['Core']['censormode'] = array(
'rule' => array('inList', array(0, 1, 2, 3), false)
);
+$_CONF_VALIDATE['Core']['censorreplace'] = array('rule' => 'stringOrEmpty');
/* Subgroup Misc, Tab Permissions */
$_CONF_VALIDATE['Core']['default_permissions_story[0]'] = array(
@@ -546,4 +560,11 @@
$_CONF_VALIDATE['Core']['restrict_webservices'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['atom_max_stories'] = array('rule' => 'numeric');
+/* Subgroup Misc, Tab Topics */
+$_CONF_VALIDATE['Core']['multiple_breadcrumbs'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_topics'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_articles'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_plugins'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['breadcrumb_root_site_name'] = array('rule' => 'boolean');
+
?>
diff -r e2f5e2768b48 -r cbf8a343ef2e system/classes/config.class.php
--- a/system/classes/config.class.php Sun Feb 17 13:25:47 2013 +0100
+++ b/system/classes/config.class.php Sun Feb 17 13:27:01 2013 +0100
@@ -1600,6 +1600,43 @@
if ( empty($this->validationErrors) ) {
// only set if there is no validation error
foreach ( $pass_validation as $param => $val ) {
+ if ($group === 'Core') {
+ switch ($param) {
+ case 'site_name':
+ case 'site_slogan':
+ case 'owner_name':
+ case 'meta_description':
+ case 'meta_keywords':
+ case 'rdf_language':
+ case 'locale':
+ case 'date':
+ case 'daytime':
+ case 'shortdate':
+ case 'dateonly':
+ case 'timeonly':
+ case 'cookie_session':
+ case 'cookie_name':
+ case 'cookie_password':
+ case 'cookie_theme':
+ case 'cookie_language':
+ case 'cookie_tzid':
+ case 'cookie_anon_name':
+ $val = strip_tags($val);
+ break;
+
+ case 'site_disabled_msg':
+ case 'comment_feeds_article_tag':
+ case 'comment_feeds_article_author_tag':
+ case 'comment_feeds_comment_author_tag':
+ case 'search_separator':
+ $val = COM_checkHTML($val);
+ break;
+
+ default:
+ break;
+ }
+ }
+
$this->set($param, $val, $group);
$success_array[$param] = true;
}
More information about the geeklog-cvs
mailing list