archive/piwigo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

bug 245 fixed : GET parameters "since", "sort_by", "sort_order",

Browse source 
"items_number", and "cat" are now checked before being used in SQL queries.


git-svn-id: http://piwigo.org/svn/branches/branch-1_5@987 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
plegall 2005-12-24 15:31:25 +00:00
parent a4b2bcbb80
commit 2268adf642
1 changed files with 65 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
comments.php
View file

@ -61,7 +61,20 @@ $since_options = array(
'clause' => '1=1') // stupid but generic 'clause' => '1=1') // stupid but generic
); );
$page['since'] = isset($_GET['since']) ? $_GET['since'] : 1; // since
//
$page['since'] = 1;
if (isset($_GET['since']))
{
if (!isset($since_options{ $_GET['since'] }))
{
die('Hacking attempt on "since" GET parameter');
}
else
{
$page['since'] = $_GET['since'];
}
}
// on which field sorting // on which field sorting
// //
@ -69,7 +82,14 @@ $page['sort_by'] = 'date';
// if the form was submitted, it overloads default behaviour // if the form was submitted, it overloads default behaviour
if (isset($_GET['sort_by'])) if (isset($_GET['sort_by']))
{ {
$page['sort_by'] = $_GET['sort_by']; if (!isset($sort_by{ $_GET['sort_by'] }))
{
die('Hacking attempt on "sort_by" GET parameter');
}
else
{
$page['sort_by'] = $_GET['sort_by'];
}
} }
// order to sort // order to sort
@ -78,7 +98,14 @@ $page['sort_order'] = $sort_order['descending'];
// if the form was submitted, it overloads default behaviour // if the form was submitted, it overloads default behaviour
if (isset($_GET['sort_order'])) if (isset($_GET['sort_order']))
{ {
$page['sort_order'] = $sort_order[$_GET['sort_order']]; if (!isset($sort_order{ $_GET['sort_order'] }))
{
die('Hacking attempt on "sort_order" GET parameter');
}
else
{
$page['sort_order'] = $sort_order[$_GET['sort_order']];
}
} }
// number of items to display // number of items to display
@ -86,15 +113,35 @@ if (isset($_GET['sort_order']))
$page['items_number'] = 5; $page['items_number'] = 5;
if (isset($_GET['items_number'])) if (isset($_GET['items_number']))
{ {
$page['items_number'] = $_GET['items_number']; if (!in_array($_GET['items_number'], $items_number))
{
die('Hacking attempt on "items_number" GET parameter');
}
else
{
$page['items_number'] = $_GET['items_number'];
}
} }
// which category to filter on ? // which category to filter on ?
$page['cat_clause'] = '1=1'; $page['cat_clause'] = '1=1';
if (isset($_GET['cat']) and 0 != $_GET['cat']) if (isset($_GET['cat']))
{ {
$page['cat_clause'] = if (''.intval($_GET['cat']) != ''.$_GET['cat'])
'category_id IN ('.implode(',', get_subcat_ids(array($_GET['cat']))).')'; {
die('Hacking attempt on "cat" GET parameter');
}
else if (0 != $_GET['cat'])
{
$page['cat_clause'] =
'category_id IN ('.
implode(
',',
get_subcat_ids(array($_GET['cat']))
).
')'
;
}
} }
// search a particular author // search a particular author
@ -127,16 +174,18 @@ if (isset($_GET['keyword']) and !empty($_GET['keyword']))
} }
$page['keyword_clause'] = $page['keyword_clause'] =
'('. '('.
implode(' AND ', implode(
array_map( ' AND ',
create_function( array_map(
'$s', create_function(
'return "content LIKE \'%$s%\'";' '$s',
), 'return "content LIKE \'%$s%\'";'
preg_split('/[\s,;]+/', $keyword) ),
) preg_split('/[\s,;]+/', $keyword)
)
). ).
')'; ')'
;
} }
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+