merge r26825 from trunk to branch 2.5

bug 3020 and bug 3021 fixed: additionnal checks in search inputs git-svn-id: http://piwigo.org/svn/branches/2.5@27933 68402e56-0260-453c-a942-63ccdbb3a9ee
2014-03-25 12:53:10 +00:00 · 2014-03-25 12:53:10 +00:00 · 9ce59f1af3
commit 9ce59f1af3
parent 3e09f3ea83
3 changed files with 14 additions and 7 deletions
--- a/include/functions_search.inc.php
+++ b/include/functions_search.inc.php
@ -117,9 +117,13 @@ function get_sql_search_clause($search)
      create_function('&$s','$s="(".$s.")";')
      );

-    array_push(
-      $clauses,
-      "\n         ".
+    // make sure the "mode" is either OR or AND
+    if ($search['fields']['allwords']['mode'] != 'AND' and $search['fields']['allwords']['mode'] != 'OR')
+    {
+      $search['fields']['allwords']['mode'] = 'AND';
+    }
+
+    $clauses[] = "\n         ".
      implode(
        "\n         ".
              $search['fields']['allwords']['mode'].
@ -797,4 +801,4 @@ function get_search_results($search_id, $super_order_by, $images_where='')
    return get_quick_search_results($search['q'], $super_order_by, $images_where);
  }
 }
-?>
+?>
--- a/search.php
+++ b/search.php
@ -47,6 +47,8 @@ if (isset($_POST['submit']))
  if (isset($_POST['search_allwords'])
      and !preg_match('/^\s*$/', $_POST['search_allwords']))
  {
+    check_input_parameter('mode', $_POST, false, '/^(OR|AND)$/');
+    
    $drop_char_match = array(
      '-','^','$',';','#','&','(',')','<','>','`','\'','"','|',',','@','_',
      '?','%','~','.','[',']','{','}',':','\\','/','=','\'','!','*');
@ -73,6 +75,7 @@ if (isset($_POST['submit']))
  if (isset($_POST['tags']))
  {
    check_input_parameter('tags', $_POST, true, PATTERN_ID);
+    check_input_parameter('tag_mode', $_POST, false, '/^(OR|AND)$/');
    
    $search['fields']['tags'] = array(
      'words' => $_POST['tags'],
@ -85,7 +88,7 @@ if (isset($_POST['submit']))
    $search['fields']['author'] = array(
      'words' => preg_split(
        '/\s+/',
-        $_POST['search_author']
+        strip_tags($_POST['search_author'])
        ),
      'mode' => 'OR',
      );
--- a/search_rules.php
+++ b/search_rules.php
@ -106,7 +106,7 @@ if (isset($search['fields']['author']))
    'search_words',
     sprintf(
          l10n('author(s) : %s'),
-          join(', ', $search['fields']['author']['words'])
+          join(', ', array_map('strip_tags', $search['fields']['author']['words']))
        )
      );
 }
@ -240,4 +240,4 @@ foreach (array('date_available', 'date_creation') as $datefield)

 $template->pparse('search_rules');
 include(PHPWG_ROOT_PATH.'include/page_tail.php');
-?>
+?>