bug 1220 : fix XSS vulnerability.
filter on since parameter (is_numeric) use only htmlspecialchars to filter vars to display revert rev:3600 add left join on users table Todo : use only left join on users table when a search by author is made git-svn-id: http://piwigo.org/svn/trunk@4139 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
parent
5c9929b62e
commit
d7f6cbb5fd
1 changed files with 17 additions and 6 deletions
23
comments.php
23
comments.php
|
@ -60,7 +60,14 @@ $since_options = array(
|
|||
'clause' => '1=1') // stupid but generic
|
||||
);
|
||||
|
||||
$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
|
||||
if (!empty($_GET['since']) && is_numeric($_GET['since']))
|
||||
{
|
||||
$page['since'] = $_GET['since'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$page['since'] = 4;
|
||||
}
|
||||
|
||||
// on which field sorting
|
||||
//
|
||||
|
@ -102,7 +109,7 @@ if (isset($_GET['cat']) and 0 != $_GET['cat'])
|
|||
}
|
||||
|
||||
// search a particular author
|
||||
if (isset($_GET['author']) and !empty($_GET['author']))
|
||||
if (!empty($_GET['author']))
|
||||
{
|
||||
$page['where_clauses'][] =
|
||||
'u.'.$conf['user_fields']['username'].' = \''.$_GET['author'].'\'
|
||||
|
@ -110,7 +117,7 @@ if (isset($_GET['author']) and !empty($_GET['author']))
|
|||
}
|
||||
|
||||
// search a substring among comments content
|
||||
if (isset($_GET['keyword']) and !empty($_GET['keyword']))
|
||||
if (!empty($_GET['keyword']))
|
||||
{
|
||||
$page['where_clauses'][] =
|
||||
'('.
|
||||
|
@ -197,8 +204,8 @@ $template->set_filenames(array('comments'=>'comments.tpl'));
|
|||
$template->assign(
|
||||
array(
|
||||
'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
|
||||
'F_KEYWORD'=>@htmlspecialchars(stripslashes($_GET['keyword'])),
|
||||
'F_AUTHOR'=>@htmlspecialchars(stripslashes($_GET['author'])),
|
||||
'F_KEYWORD'=> @htmlspecialchars($_GET['keyword'], ENT_QUOTES, 'utf-8'),
|
||||
'F_AUTHOR'=> @htmlspecialchars($_GET['author'], ENT_QUOTES, 'utf-8'),
|
||||
)
|
||||
);
|
||||
|
||||
|
@ -269,8 +276,10 @@ else
|
|||
$query = '
|
||||
SELECT COUNT(DISTINCT(com.id))
|
||||
FROM '.IMAGE_CATEGORY_TABLE.' AS ic
|
||||
INNER JOIN '.COMMENTS_TABLE.' AS com
|
||||
INNER JOIN '.COMMENTS_TABLE.' AS com
|
||||
ON ic.image_id = com.image_id
|
||||
LEFT JOIN '.USERS_TABLE.' As u
|
||||
ON u.'.$conf['user_fields']['id'].' = com.author_id
|
||||
WHERE '.implode('
|
||||
AND ', $page['where_clauses']).'
|
||||
;';
|
||||
|
@ -308,6 +317,8 @@ SELECT com.id AS comment_id
|
|||
FROM '.IMAGE_CATEGORY_TABLE.' AS ic
|
||||
INNER JOIN '.COMMENTS_TABLE.' AS com
|
||||
ON ic.image_id = com.image_id
|
||||
LEFT JOIN '.USERS_TABLE.' As u
|
||||
ON u.'.$conf['user_fields']['id'].' = com.author_id
|
||||
WHERE '.implode('
|
||||
AND ', $page['where_clauses']).'
|
||||
GROUP BY comment_id
|
||||
|
|
Loading…
Add table
Reference in a new issue