diff options
| -rw-r--r-- | admin/cat_list.php | 2 | ||||
| -rw-r--r-- | admin/element_set.php | 2 | ||||
| -rw-r--r-- | admin/element_set_global.php | 6 | ||||
| -rw-r--r-- | admin/picture_modify.php | 3 | ||||
| -rw-r--r-- | include/constants.php | 3 | ||||
| -rw-r--r-- | include/functions.inc.php | 43 |
6 files changed, 59 insertions, 0 deletions
diff --git a/admin/cat_list.php b/admin/cat_list.php index 3a9a1fc46..43403e4f9 100644 --- a/admin/cat_list.php +++ b/admin/cat_list.php @@ -64,6 +64,8 @@ function save_categories_order($categories) // | initialization | // +-----------------------------------------------------------------------+ +check_input_parameter('parent_id', @$_GET['parent_id'], false, PATTERN_ID); + $categories = array(); $base_url = get_root_url().'admin.php?page=cat_list'; diff --git a/admin/element_set.php b/admin/element_set.php index 821c4e188..bc722887b 100644 --- a/admin/element_set.php +++ b/admin/element_set.php @@ -39,6 +39,8 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); +check_input_parameter('selection', @$_POST['selection'], true, PATTERN_ID); + // +-----------------------------------------------------------------------+ // | caddie management | // +-----------------------------------------------------------------------+ diff --git a/admin/element_set_global.php b/admin/element_set_global.php index 2ad3ab164..05f4158b7 100644 --- a/admin/element_set_global.php +++ b/admin/element_set_global.php @@ -43,6 +43,12 @@ check_status(ACCESS_ADMINISTRATOR); // | deletion form submission | // +-----------------------------------------------------------------------+ +// the $_POST['selection'] was already checked in element_set.php +check_input_parameter('add_tags', @$_POST['add_tags'], true, PATTERN_ID); +check_input_parameter('del_tags', @$_POST['del_tags'], true, PATTERN_ID); +check_input_parameter('associate', @$_POST['associate'], false, PATTERN_ID); +check_input_parameter('dissociate', @$_POST['dissociate'], false, PATTERN_ID); + if (isset($_POST['delete'])) { if (isset($_POST['confirm_deletion']) and 1 == $_POST['confirm_deletion']) diff --git a/admin/picture_modify.php b/admin/picture_modify.php index c142ae955..71b0d7777 100644 --- a/admin/picture_modify.php +++ b/admin/picture_modify.php @@ -33,6 +33,9 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); // +-----------------------------------------------------------------------+ check_status(ACCESS_ADMINISTRATOR); +check_input_parameter('image_id', $_GET['image_id'], false, PATTERN_ID); +check_input_parameter('cat_id', @$_GET['cat_id'], false, PATTERN_ID); + // +-----------------------------------------------------------------------+ // | synchronize metadata | // +-----------------------------------------------------------------------+ diff --git a/include/constants.php b/include/constants.php index 99a4816e7..2c828702a 100644 --- a/include/constants.php +++ b/include/constants.php @@ -38,6 +38,9 @@ define('ACCESS_ADMINISTRATOR', 3); define('ACCESS_WEBMASTER', 4); define('ACCESS_CLOSED', 5); +// Sanity checks +define('PATTERN_ID', '/^\d+$/'); + // Table names if (!defined('CATEGORIES_TABLE')) define('CATEGORIES_TABLE', $prefixeTable.'categories'); diff --git a/include/functions.inc.php b/include/functions.inc.php index 273d63776..dbcaf6a97 100644 --- a/include/functions.inc.php +++ b/include/functions.inc.php @@ -1492,4 +1492,47 @@ function get_comment_post_key($image_id) ) ); } + +/* + * breaks the script execution if the given value doesn't match the given + * pattern. This should happen only during hacking attempts. + * + * @param string param_name + * @param mixed param_value + * @param boolean is_array + * @param string pattern + * + * @return void + */ +function check_input_parameter($param_name, $param_value, $is_array, $pattern) +{ + // it's ok if the input parameter is null + if (empty($param_value)) + { + return true; + } + + if ($is_array) + { + if (!is_array($param_value)) + { + die('[Hacking attempt] the input parameter "'.$param_name.'" should be an array'); + } + + foreach ($param_value as $item_to_check) + { + if (!preg_match($pattern, $item_to_check)) + { + die('[Hacking attempt] an item is not valid in input parameter "'.$param_name.'"'); + } + } + } + else + { + if (!preg_match($pattern, $param_value)) + { + die('[Hacking attempt] the input parameter "'.$param_name.'" is not valid'); + } + } +} ?>
\ No newline at end of file |