aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorplegall <plg@piwigo.org>2009-12-15 00:33:57 +0000
committerplegall <plg@piwigo.org>2009-12-15 00:33:57 +0000
commit742e2a7c0ac86e9bcce2fa6eef65214e869cd19c (patch)
tree39ece70263b1fb2ef881352f11e1f4a38b94afd7
parent8bbbe6c7943296a81df1c232ca7de0329295477f (diff)
bug 1329 fixed: add a check_input_parameter function to prevent hacking
attempts. git-svn-id: http://piwigo.org/svn/branches/2.0@4495 68402e56-0260-453c-a942-63ccdbb3a9ee
-rw-r--r--admin/cat_list.php2
-rw-r--r--admin/element_set.php2
-rw-r--r--admin/element_set_global.php6
-rw-r--r--admin/picture_modify.php3
-rw-r--r--include/constants.php3
-rw-r--r--include/functions.inc.php43
6 files changed, 59 insertions, 0 deletions
diff --git a/admin/cat_list.php b/admin/cat_list.php
index 3a9a1fc46..43403e4f9 100644
--- a/admin/cat_list.php
+++ b/admin/cat_list.php
@@ -64,6 +64,8 @@ function save_categories_order($categories)
// | initialization |
// +-----------------------------------------------------------------------+
+check_input_parameter('parent_id', @$_GET['parent_id'], false, PATTERN_ID);
+
$categories = array();
$base_url = get_root_url().'admin.php?page=cat_list';
diff --git a/admin/element_set.php b/admin/element_set.php
index 821c4e188..bc722887b 100644
--- a/admin/element_set.php
+++ b/admin/element_set.php
@@ -39,6 +39,8 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
+check_input_parameter('selection', @$_POST['selection'], true, PATTERN_ID);
+
// +-----------------------------------------------------------------------+
// | caddie management |
// +-----------------------------------------------------------------------+
diff --git a/admin/element_set_global.php b/admin/element_set_global.php
index 2ad3ab164..05f4158b7 100644
--- a/admin/element_set_global.php
+++ b/admin/element_set_global.php
@@ -43,6 +43,12 @@ check_status(ACCESS_ADMINISTRATOR);
// | deletion form submission |
// +-----------------------------------------------------------------------+
+// the $_POST['selection'] was already checked in element_set.php
+check_input_parameter('add_tags', @$_POST['add_tags'], true, PATTERN_ID);
+check_input_parameter('del_tags', @$_POST['del_tags'], true, PATTERN_ID);
+check_input_parameter('associate', @$_POST['associate'], false, PATTERN_ID);
+check_input_parameter('dissociate', @$_POST['dissociate'], false, PATTERN_ID);
+
if (isset($_POST['delete']))
{
if (isset($_POST['confirm_deletion']) and 1 == $_POST['confirm_deletion'])
diff --git a/admin/picture_modify.php b/admin/picture_modify.php
index c142ae955..71b0d7777 100644
--- a/admin/picture_modify.php
+++ b/admin/picture_modify.php
@@ -33,6 +33,9 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR);
+check_input_parameter('image_id', $_GET['image_id'], false, PATTERN_ID);
+check_input_parameter('cat_id', @$_GET['cat_id'], false, PATTERN_ID);
+
// +-----------------------------------------------------------------------+
// | synchronize metadata |
// +-----------------------------------------------------------------------+
diff --git a/include/constants.php b/include/constants.php
index 99a4816e7..2c828702a 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -38,6 +38,9 @@ define('ACCESS_ADMINISTRATOR', 3);
define('ACCESS_WEBMASTER', 4);
define('ACCESS_CLOSED', 5);
+// Sanity checks
+define('PATTERN_ID', '/^\d+$/');
+
// Table names
if (!defined('CATEGORIES_TABLE'))
define('CATEGORIES_TABLE', $prefixeTable.'categories');
diff --git a/include/functions.inc.php b/include/functions.inc.php
index 273d63776..dbcaf6a97 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -1492,4 +1492,47 @@ function get_comment_post_key($image_id)
)
);
}
+
+/*
+ * breaks the script execution if the given value doesn't match the given
+ * pattern. This should happen only during hacking attempts.
+ *
+ * @param string param_name
+ * @param mixed param_value
+ * @param boolean is_array
+ * @param string pattern
+ *
+ * @return void
+ */
+function check_input_parameter($param_name, $param_value, $is_array, $pattern)
+{
+ // it's ok if the input parameter is null
+ if (empty($param_value))
+ {
+ return true;
+ }
+
+ if ($is_array)
+ {
+ if (!is_array($param_value))
+ {
+ die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array');
+ }
+
+ foreach ($param_value as $item_to_check)
+ {
+ if (!preg_match($pattern, $item_to_check))
+ {
+ die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"');
+ }
+ }
+ }
+ else
+ {
+ if (!preg_match($pattern, $param_value))
+ {
+ die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid');
+ }
+ }
+}
?> \ No newline at end of file