From 6d04381f9d89651ae34452670a725d60e752affc Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Thu, 8 Jan 2015 13:11:46 +0000
Subject: merge r30864 from trunk to branch 2.7

bug 3186: improved security on search.php


git-svn-id: http://piwigo.org/svn/branches/2.7@30867 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 include/functions.inc.php | 4 ++--
 search.php                | 9 +++++----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/include/functions.inc.php b/include/functions.inc.php
index 7d8957bd3..4ba5eb54c 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1877,9 +1877,9 @@ function check_input_parameter($param_name, $param_array, $is_array, $pattern, $
       fatal_error('[Hacking attempt] the input parameter "'.$param_name.'" should be an array');
     }
 
-    foreach ($param_value as $item_to_check)
+    foreach ($param_value as $key => $item_to_check)
     {
-      if (!preg_match($pattern, $item_to_check))
+      if (!preg_match(PATTERN_ID, $key) or !preg_match($pattern, $item_to_check))
       {
         fatal_error('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');
       }
diff --git a/search.php b/search.php
index 697454ce0..e4528ea42 100644
--- a/search.php
+++ b/search.php
@@ -48,9 +48,8 @@ if (isset($_POST['submit']))
       and !preg_match('/^\s*$/', $_POST['search_allwords']))
   {
     check_input_parameter('mode', $_POST, false, '/^(OR|AND)$/');
+    check_input_parameter('fields', $_POST, true, '/^(name|comment|file)$/');
 
-    $fields = array_intersect($_POST['fields'], array('name', 'comment', 'file'));
-    
     $drop_char_match = array(
       '-','^','$',';','#','&','(',')','<','>','`','\'','"','|',',','@','_',
       '?','%','~','.','[',']','{','}',':','\\','/','=','\'','!','*');
@@ -71,7 +70,7 @@ if (isset($_POST['submit']))
           )
         ),
       'mode' => $_POST['mode'],
-      'fields' => $fields,
+      'fields' => $_POST['fields'],
       );
   }
 
@@ -112,6 +111,8 @@ if (isset($_POST['submit']))
   }
 
   // dates
+  check_input_parameter('date_type', $_POST, false, '/^date_(creation|available)$/');
+  
   $type_date = $_POST['date_type'];
 
   if (!empty($_POST['start_year']))
@@ -151,7 +152,7 @@ if (isset($_POST['submit']))
 INSERT INTO '.SEARCH_TABLE.'
   (rules, last_seen)
   VALUES
-  (\''.serialize($search).'\', NOW())
+  (\''.pwg_db_real_escape_string(serialize($search)).'\', NOW())
 ;';
     pwg_query($query);
 
-- 
cgit v1.2.3