[geeklog-hg] geeklog: Fixed a potential security issue with the syndication e...

Sun Jan 5 09:41:26 EST 2014

changeset 9391:c3ffefcc5054
url:  http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/c3ffefcc5054
user: Kenji ITO <mystralkk at gmail.com>
date: Sun Jan 05 23:39:01 2014 +0900
description:
Fixed a potential security issue with the syndication editor

diffstat:

 public_html/admin/syndication.php |  63 ++++++++++++++++++++++++--------------
 1 files changed, 39 insertions(+), 24 deletions(-)

diffs (124 lines):

diff -r 36cce0334dba -r c3ffefcc5054 public_html/admin/syndication.php

--- a/public_html/admin/syndication.php	Sun Jan 05 20:25:09 2014 +0900
+++ b/public_html/admin/syndication.php	Sun Jan 05 23:39:01 2014 +0900
@@ -234,7 +234,7 @@
         $fid = $A['fid'];
     }
     if ($fid == 0) {
-        if (!empty ($type)) { // set defaults
+        if (!empty($type)) { // set defaults
             $A['fid'] = $fid;
             $A['type'] = $type;
             $A['topic'] = '::all';
@@ -457,6 +457,7 @@
     }
 
     // Make sure correct format returned and correct file extenstion
+    $A['filename'] = COM_sanitizeFilename($A['filename'], true);
     $file_parts = pathinfo($A['filename']);
     $A['filename'] = ''; // Clear out filename. If it doesn't get recreated then we know there is an error
     if (!empty($file_parts['filename'])) {
@@ -465,31 +466,31 @@
             if ($A['format'] == ($f['name'] . '-' . $f['version'])) {
                 switch($f['name'])
                 {
-                    case "Atom":
-                        if ($file_parts['extension'] != "atm" OR $file_parts['extension'] != "xml") {
-                            $A['filename'] = $file_parts['filename'] . '.atm'; 
+                    case 'Atom':
+                        if (!in_array(@$file_parts['extension'], array('atm', 'xml'))) {
+                            $file_parts['extension'] = 'xml';
                         }
+
+                        $A['filename'] = $file_parts['filename'] . '.' . $file_parts['extension'];
                         break;
-                    
-                    case "RSS":
-                        if ($file_parts['extension'] != "rss" OR $file_parts['extension'] != "xml") {
-                            $A['filename'] = $file_parts['filename'] . '.rss';
+
+                    case 'RSS':
+                        if (!in_array(@$file_parts['extension'], array('rss', 'xml'))) {
+                            $file_parts['extension'] = 'rss';
                         }
+
+                        $A['filename'] = $file_parts['filename'] . '.' . $file_parts['extension'];
                         break;
-                        
-                    case "RDF":
-                        if ($file_parts['extension'] != "rdf") {
-                            $A['filename'] = $file_parts['filename'] . '.rdf';
-                        }
+
+                    case 'RDF':
+                        $A['filename'] = $file_parts['filename'] . '.rdf';
                         break;
-                        
                 }
-                
             }
         }
     }
-    if (empty ($A['title']) || empty ($A['description']) ||
-            empty ($A['filename'])) {
+    if (empty($A['title']) || empty($A['description']) ||
+            empty($A['filename'])) {
         $retval = COM_showMessageText($LANG33[39], $LANG33[38])
                 . editfeed ($A['fid'], $A['type']);
         $retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG33[38]));
@@ -516,19 +517,33 @@
     }
 
     // we can compensate if these are missing ...
-    if (empty ($A['charset'])) {
+	if (!empty($A['charset'])) {
+		$A['charset'] = preg_replace('/[^0-9a-zA-Z_\-]/', '', $A['charset']);
+	}
+
+    if (empty($A['charset'])) {
         $A['charset'] = $_CONF['default_charset'];
-        if (empty ($A['charset'])) {
+        if (empty($A['charset'])) {
             $A['charset'] = 'UTF-8';
         }
     }
-    if (empty ($A['language'])) {
+
+    if (!empty($A['language'])) {
+		$A['language'] = preg_replace('/[^0-9a-zA-Z_\.\-]/', '', $A['language']);
+	}
+
+    if (empty($A['language'])) {
         $A['language'] = $_CONF['rdf_language'];
-        if (empty ($A['language'])) {
+        if (empty($A['language'])) {
             $A['language'] = $_CONF['locale'];
         }
     }
-    if (empty ($A['content_length']) || ($A['content_length'] < 0)) {
+
+	if (!empty($A['content_length'])) {
+		$A['content_length'] = intval($A['content_length'], 10);
+	}
+
+    if (empty($A['content_length']) || ($A['content_length'] < 0)) {
         $A['content_length'] = 0;
     }
 
@@ -595,14 +610,14 @@
     $mode = $_REQUEST['mode'];
 }
 if ($mode == 'edit') {
-    if (empty ($_REQUEST['fid'])) {
+    if (empty($_REQUEST['fid'])) {
         $display .= newfeed ();
     } else {
         $display .= editfeed (COM_applyFilter($_REQUEST['fid']));
         $display = COM_createHTMLDocument($display, array('pagetitle' => $LANG33[24]));
     }
 }
-elseif (($mode == $LANG33[1]) && !empty ($LANG33[1]))
+elseif (($mode == $LANG33[1]) && !empty($LANG33[1]))
 {
     $display .= editfeed (0, COM_applyFilter($_REQUEST['type']));
     $display = COM_createHTMLDocument($display, array('pagetitle' => $LANG33[24]));

