diff options
author | nikrou <nikrou@piwigo.org> | 2009-10-28 20:34:29 +0000 |
---|---|---|
committer | nikrou <nikrou@piwigo.org> | 2009-10-28 20:34:29 +0000 |
commit | d7f6cbb5fddd1864d3110bd73e9a633bb9f09f13 (patch) | |
tree | 2ea6d69462584755e37b47778b6f87eb516411f5 /comments.php | |
parent | 5c9929b62e3d4a8448249864a4b87062243f7b33 (diff) |
bug 1220 : fix XSS vulnerability.
filter on since parameter (is_numeric)
use only htmlspecialchars to filter vars to display
revert rev:3600 add left join on users table
Todo : use only left join on users table when a search by author is made
git-svn-id: http://piwigo.org/svn/trunk@4139 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'comments.php')
-rw-r--r-- | comments.php | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/comments.php b/comments.php index d1609fdea..749dcfc92 100644 --- a/comments.php +++ b/comments.php @@ -60,7 +60,14 @@ $since_options = array( 'clause' => '1=1') // stupid but generic ); -$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4; +if (!empty($_GET['since']) && is_numeric($_GET['since'])) +{ + $page['since'] = $_GET['since']; +} +else +{ + $page['since'] = 4; +} // on which field sorting // @@ -102,7 +109,7 @@ if (isset($_GET['cat']) and 0 != $_GET['cat']) } // search a particular author -if (isset($_GET['author']) and !empty($_GET['author'])) +if (!empty($_GET['author'])) { $page['where_clauses'][] = 'u.'.$conf['user_fields']['username'].' = \''.$_GET['author'].'\' @@ -110,7 +117,7 @@ if (isset($_GET['author']) and !empty($_GET['author'])) } // search a substring among comments content -if (isset($_GET['keyword']) and !empty($_GET['keyword'])) +if (!empty($_GET['keyword'])) { $page['where_clauses'][] = '('. @@ -197,8 +204,8 @@ $template->set_filenames(array('comments'=>'comments.tpl')); $template->assign( array( 'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php', - 'F_KEYWORD'=>@htmlspecialchars(stripslashes($_GET['keyword'])), - 'F_AUTHOR'=>@htmlspecialchars(stripslashes($_GET['author'])), + 'F_KEYWORD'=> @htmlspecialchars($_GET['keyword'], ENT_QUOTES, 'utf-8'), + 'F_AUTHOR'=> @htmlspecialchars($_GET['author'], ENT_QUOTES, 'utf-8'), ) ); @@ -269,8 +276,10 @@ else $query = ' SELECT COUNT(DISTINCT(com.id)) FROM '.IMAGE_CATEGORY_TABLE.' AS ic - INNER JOIN '.COMMENTS_TABLE.' AS com + INNER JOIN '.COMMENTS_TABLE.' AS com ON ic.image_id = com.image_id + LEFT JOIN '.USERS_TABLE.' As u + ON u.'.$conf['user_fields']['id'].' = com.author_id WHERE '.implode(' AND ', $page['where_clauses']).' ;'; @@ -308,6 +317,8 @@ SELECT com.id AS comment_id FROM '.IMAGE_CATEGORY_TABLE.' AS ic INNER JOIN '.COMMENTS_TABLE.' AS com ON ic.image_id = com.image_id + LEFT JOIN '.USERS_TABLE.' As u + ON u.'.$conf['user_fields']['id'].' = com.author_id WHERE '.implode(' AND ', $page['where_clauses']).' GROUP BY comment_id |