[geeklog-hg] geeklog: Fixed a potential security issue with the syndication e...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sun Jan 5 09:41:26 EST 2014
changeset 9391:c3ffefcc5054
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/c3ffefcc5054
user: Kenji ITO <mystralkk at gmail.com>
date: Sun Jan 05 23:39:01 2014 +0900
description:
Fixed a potential security issue with the syndication editor
diffstat:
public_html/admin/syndication.php | 63 ++++++++++++++++++++++++--------------
1 files changed, 39 insertions(+), 24 deletions(-)
diffs (124 lines):
diff -r 36cce0334dba -r c3ffefcc5054 public_html/admin/syndication.php
--- a/public_html/admin/syndication.php Sun Jan 05 20:25:09 2014 +0900
+++ b/public_html/admin/syndication.php Sun Jan 05 23:39:01 2014 +0900
@@ -234,7 +234,7 @@
$fid = $A['fid'];
}
if ($fid == 0) {
- if (!empty ($type)) { // set defaults
+ if (!empty($type)) { // set defaults
$A['fid'] = $fid;
$A['type'] = $type;
$A['topic'] = '::all';
@@ -457,6 +457,7 @@
}
// Make sure correct format returned and correct file extenstion
+ $A['filename'] = COM_sanitizeFilename($A['filename'], true);
$file_parts = pathinfo($A['filename']);
$A['filename'] = ''; // Clear out filename. If it doesn't get recreated then we know there is an error
if (!empty($file_parts['filename'])) {
@@ -465,31 +466,31 @@
if ($A['format'] == ($f['name'] . '-' . $f['version'])) {
switch($f['name'])
{
- case "Atom":
- if ($file_parts['extension'] != "atm" OR $file_parts['extension'] != "xml") {
- $A['filename'] = $file_parts['filename'] . '.atm';
+ case 'Atom':
+ if (!in_array(@$file_parts['extension'], array('atm', 'xml'))) {
+ $file_parts['extension'] = 'xml';
}
+
+ $A['filename'] = $file_parts['filename'] . '.' . $file_parts['extension'];
break;
-
- case "RSS":
- if ($file_parts['extension'] != "rss" OR $file_parts['extension'] != "xml") {
- $A['filename'] = $file_parts['filename'] . '.rss';
+
+ case 'RSS':
+ if (!in_array(@$file_parts['extension'], array('rss', 'xml'))) {
+ $file_parts['extension'] = 'rss';
}
+
+ $A['filename'] = $file_parts['filename'] . '.' . $file_parts['extension'];
break;
-
- case "RDF":
- if ($file_parts['extension'] != "rdf") {
- $A['filename'] = $file_parts['filename'] . '.rdf';
- }
+
+ case 'RDF':
+ $A['filename'] = $file_parts['filename'] . '.rdf';
break;
-
}
-
}
}
}
- if (empty ($A['title']) || empty ($A['description']) ||
- empty ($A['filename'])) {
+ if (empty($A['title']) || empty($A['description']) ||
+ empty($A['filename'])) {
$retval = COM_showMessageText($LANG33[39], $LANG33[38])
. editfeed ($A['fid'], $A['type']);
$retval = COM_createHTMLDocument($retval, array('pagetitle' => $LANG33[38]));
@@ -516,19 +517,33 @@
}
// we can compensate if these are missing ...
- if (empty ($A['charset'])) {
+ if (!empty($A['charset'])) {
+ $A['charset'] = preg_replace('/[^0-9a-zA-Z_\-]/', '', $A['charset']);
+ }
+
+ if (empty($A['charset'])) {
$A['charset'] = $_CONF['default_charset'];
- if (empty ($A['charset'])) {
+ if (empty($A['charset'])) {
$A['charset'] = 'UTF-8';
}
}
- if (empty ($A['language'])) {
+
+ if (!empty($A['language'])) {
+ $A['language'] = preg_replace('/[^0-9a-zA-Z_\.\-]/', '', $A['language']);
+ }
+
+ if (empty($A['language'])) {
$A['language'] = $_CONF['rdf_language'];
- if (empty ($A['language'])) {
+ if (empty($A['language'])) {
$A['language'] = $_CONF['locale'];
}
}
- if (empty ($A['content_length']) || ($A['content_length'] < 0)) {
+
+ if (!empty($A['content_length'])) {
+ $A['content_length'] = intval($A['content_length'], 10);
+ }
+
+ if (empty($A['content_length']) || ($A['content_length'] < 0)) {
$A['content_length'] = 0;
}
@@ -595,14 +610,14 @@
$mode = $_REQUEST['mode'];
}
if ($mode == 'edit') {
- if (empty ($_REQUEST['fid'])) {
+ if (empty($_REQUEST['fid'])) {
$display .= newfeed ();
} else {
$display .= editfeed (COM_applyFilter($_REQUEST['fid']));
$display = COM_createHTMLDocument($display, array('pagetitle' => $LANG33[24]));
}
}
-elseif (($mode == $LANG33[1]) && !empty ($LANG33[1]))
+elseif (($mode == $LANG33[1]) && !empty($LANG33[1]))
{
$display .= editfeed (0, COM_applyFilter($_REQUEST['type']));
$display = COM_createHTMLDocument($display, array('pagetitle' => $LANG33[24]));
More information about the geeklog-cvs
mailing list