From d7f6cbb5fddd1864d3110bd73e9a633bb9f09f13 Mon Sep 17 00:00:00 2001
From: nikrou <nikrou@piwigo.org>
Date: Wed, 28 Oct 2009 20:34:29 +0000
Subject: bug 1220 : fix XSS vulnerability. filter on since parameter
 (is_numeric) use only htmlspecialchars to filter vars to display revert
 rev:3600 add left join on users table

Todo : use only left join on users table when a search by author is made

git-svn-id: http://piwigo.org/svn/trunk@4139 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 comments.php | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/comments.php b/comments.php
index d1609fdea..749dcfc92 100644
--- a/comments.php
+++ b/comments.php
@@ -60,7 +60,14 @@ $since_options = array(
              'clause' => '1=1') // stupid but generic
   );
 
-$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
+if (!empty($_GET['since']) && is_numeric($_GET['since']))
+{
+  $page['since'] = $_GET['since'];
+}
+else
+{
+  $page['since'] = 4;
+}
 
 // on which field sorting
 //
@@ -102,7 +109,7 @@ if (isset($_GET['cat']) and 0 != $_GET['cat'])
 }
 
 // search a particular author
-if (isset($_GET['author']) and !empty($_GET['author']))
+if (!empty($_GET['author']))
 {
   $page['where_clauses'][] =
     'u.'.$conf['user_fields']['username'].' = \''.$_GET['author'].'\'
@@ -110,7 +117,7 @@ if (isset($_GET['author']) and !empty($_GET['author']))
 }
 
 // search a substring among comments content
-if (isset($_GET['keyword']) and !empty($_GET['keyword']))
+if (!empty($_GET['keyword']))
 {
   $page['where_clauses'][] =
     '('.
@@ -197,8 +204,8 @@ $template->set_filenames(array('comments'=>'comments.tpl'));
 $template->assign(
   array(
     'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
-    'F_KEYWORD'=>@htmlspecialchars(stripslashes($_GET['keyword'])),
-    'F_AUTHOR'=>@htmlspecialchars(stripslashes($_GET['author'])),
+    'F_KEYWORD'=> @htmlspecialchars($_GET['keyword'], ENT_QUOTES, 'utf-8'),
+    'F_AUTHOR'=> @htmlspecialchars($_GET['author'], ENT_QUOTES, 'utf-8'),
     )
   );
 
@@ -269,8 +276,10 @@ else
 $query = '
 SELECT COUNT(DISTINCT(com.id))
   FROM '.IMAGE_CATEGORY_TABLE.' AS ic
-    INNER JOIN '.COMMENTS_TABLE.' AS com
+    INNER JOIN '.COMMENTS_TABLE.' AS com    
     ON ic.image_id = com.image_id
+    LEFT JOIN '.USERS_TABLE.' As u
+    ON u.'.$conf['user_fields']['id'].' = com.author_id
   WHERE '.implode('
     AND ', $page['where_clauses']).'
 ;';
@@ -308,6 +317,8 @@ SELECT com.id AS comment_id
   FROM '.IMAGE_CATEGORY_TABLE.' AS ic
     INNER JOIN '.COMMENTS_TABLE.' AS com
     ON ic.image_id = com.image_id
+    LEFT JOIN '.USERS_TABLE.' As u
+    ON u.'.$conf['user_fields']['id'].' = com.author_id
   WHERE '.implode('
     AND ', $page['where_clauses']).'
   GROUP BY comment_id
-- 
cgit v1.2.3