[geeklog-hg] geeklog: stricter input filtering in the Configuration (TWSL2013...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Tue Feb 19 12:47:07 EST 2013
changeset 8953:26680fbf136b
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/26680fbf136b
user: Dirk Haun <dirk at haun-online.de>
date: Tue Feb 19 15:32:14 2013 +0100
description:
stricter input filtering in the Configuration (TWSL2013-001)
diffstat:
public_html/admin/configuration_validation.php | 23 ++++++++++++++-
system/classes/config.class.php | 37 ++++++++++++++++++++++++++
2 files changed, 58 insertions(+), 2 deletions(-)
diffs (129 lines):
diff -r 96eedb504c68 -r 26680fbf136b public_html/admin/configuration_validation.php
--- a/public_html/admin/configuration_validation.php Tue Feb 19 14:58:45 2013 +0100
+++ b/public_html/admin/configuration_validation.php Tue Feb 19 15:32:14 2013 +0100
@@ -51,9 +51,9 @@
$_CONF_VALIDATE['Core']['meta_tags'] = array('rule' => array('inList', array(0, 1, 2), false));
$_CONF_VALIDATE['Core']['meta_description'] = array('rule' => 'stringOrEmpty');
$_CONF_VALIDATE['Core']['meta_keywords'] = array('rule' => 'stringOrEmpty');
-$_CONF_VALIDATE['Core']['site_mail'] = array('rule' => 'email');
/* Subgroup Site, Tab Mail */
+$_CONF_VALIDATE['Core']['site_mail'] = array('rule' => 'email');
$_CONF_VALIDATE['Core']['noreply_mail'] = array('rule' => 'email');
$_CONF_VALIDATE['Core']['mail_settings[backend]'] = array(
'rule' => array('inList', array('smtp', 'sendmail', 'mail')),
@@ -77,6 +77,9 @@
);
$_CONF_VALIDATE['Core']['mail_settings[auth]'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['mail_settings[username]'] = array('rule' => 'notEmpty');
+$_CONF_VALIDATE['Core']['mail_settings[password]'] = array('rule' => 'notEmpty');
+$_CONF_VALIDATE['Core']['cc_enabled'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['cc_default'] = array('rule' => 'boolean');
/* Subgroup Site, Tab Syndication */
$_CONF_VALIDATE['Core']['backend'] = array('rule' => 'boolean');
@@ -87,6 +90,7 @@
$LANG_VALIDATION['rdf_limit'] : $LANG_VALIDATION['default']
);
$_CONF_VALIDATE['Core']['rdf_storytext'] = array('rule' => 'numeric');
+$_CONF_VALIDATE['Core']['rdf_language'] = array('rule' => 'notEmpty');
$_CONF_VALIDATE['Core']['syndication_max_headlines'] = array('rule' => 'numeric');
/* Subgroup Site, Tab Paths */
@@ -154,6 +158,7 @@
$_CONF_VALIDATE['Core']['search_show_sort'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['search_show_num'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['search_show_type'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['search_separator'] = array('rule' => 'string');
$_CONF_VALIDATE['Core']['search_def_keytype'] = array(
'rule' => array('inList', array('all', 'any', 'phrase'), true)
);
@@ -191,7 +196,7 @@
/* Subgroup Stories and Trackback, Tab Trackback */
$_CONF_VALIDATE['Core']['trackback_enabled'] = array('rule' => 'boolean');
-$_CONF_VALIDATE['Core']['aftersave_story'] = array(
+$_CONF_VALIDATE['Core']['trackback_code'] = array(
'rule' => array('inList', array(-1, 0), false)
);
$_CONF_VALIDATE['Core']['trackbackspeedlimit'] = array('rule' => 'numeric');
@@ -388,6 +393,12 @@
);
/* Subgroup Language, Tab Locale */
+$_CONF_VALIDATE['Core']['locale'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['date'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['daytime'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['shortdate'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['dateonly'] = array('rule' => 'stringOrEmpty');
+$_CONF_VALIDATE['Core']['timeonly'] = array('rule' => 'stringOrEmpty');
$_CONF_VALIDATE['Core']['week_start'] = array(
'rule' => array('inList', array('Mon', 'Sun'), true)
);
@@ -450,6 +461,7 @@
$_CONF_VALIDATE['Core']['censormode'] = array(
'rule' => array('inList', array(0, 1, 2, 3), false)
);
+$_CONF_VALIDATE['Core']['censorreplace'] = array('rule' => 'stringOrEmpty');
/* Subgroup Misc, Tab Permissions */
$_CONF_VALIDATE['Core']['default_permissions_story[0]'] = array(
@@ -525,4 +537,11 @@
$_CONF_VALIDATE['Core']['restrict_webservices'] = array('rule' => 'boolean');
$_CONF_VALIDATE['Core']['atom_max_stories'] = array('rule' => 'numeric');
+/* Subgroup Misc, Tab Topics */
+$_CONF_VALIDATE['Core']['multiple_breadcrumbs'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_topics'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_articles'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['disable_breadcrumbs_plugins'] = array('rule' => 'boolean');
+$_CONF_VALIDATE['Core']['breadcrumb_root_site_name'] = array('rule' => 'boolean');
+
?>
diff -r 96eedb504c68 -r 26680fbf136b system/classes/config.class.php
--- a/system/classes/config.class.php Tue Feb 19 14:58:45 2013 +0100
+++ b/system/classes/config.class.php Tue Feb 19 15:32:14 2013 +0100
@@ -1355,6 +1355,43 @@
if ( empty($this->validationErrors) ) {
// only set if there is no validation error
foreach ( $pass_validation as $param => $val ) {
+ if ($group === 'Core') {
+ switch ($param) {
+ case 'site_name':
+ case 'site_slogan':
+ case 'owner_name':
+ case 'meta_description':
+ case 'meta_keywords':
+ case 'rdf_language':
+ case 'locale':
+ case 'date':
+ case 'daytime':
+ case 'shortdate':
+ case 'dateonly':
+ case 'timeonly':
+ case 'cookie_session':
+ case 'cookie_name':
+ case 'cookie_password':
+ case 'cookie_theme':
+ case 'cookie_language':
+ case 'cookie_tzid':
+ case 'cookie_anon_name':
+ $val = strip_tags($val);
+ break;
+
+ case 'site_disabled_msg':
+ case 'comment_feeds_article_tag':
+ case 'comment_feeds_article_author_tag':
+ case 'comment_feeds_comment_author_tag':
+ case 'search_separator':
+ $val = COM_checkHTML($val);
+ break;
+
+ default:
+ break;
+ }
+ }
+
$this->set($param, $val, $group);
$success_array[$param] = true;
}
More information about the geeklog-cvs
mailing list