From 2696a1a75969ca48fb4fe9df3416e2cd692c8d97 Mon Sep 17 00:00:00 2001
From: nikrou <nikrou@piwigo.org>
Date: Wed, 28 Oct 2009 20:39:00 +0000
Subject: merge from trunk

bug 1220 : fix XSS vulnerability.
filter on since parameter (is_numeric)
use only htmlspecialchars to filter vars to display
revert rev:3600 add left join on users table

Todo : use only left join on users table when a search by author is made

git-svn-id: http://piwigo.org/svn/branches/2.0@4140 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 comments.php | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

(limited to 'comments.php')

diff --git a/comments.php b/comments.php
index a71838713..3380cedfa 100644
--- a/comments.php
+++ b/comments.php
@@ -59,7 +59,14 @@ $since_options = array(
              'clause' => '1=1') // stupid but generic
   );
 
-$page['since'] = isset($_GET['since']) ? $_GET['since'] : 4;
+if (!empty($_GET['since']) && is_numeric($_GET['since']))
+{
+  $page['since'] = $_GET['since'];
+}
+else
+{
+  $page['since'] = 4;
+}
 
 // on which field sorting
 //
@@ -101,13 +108,13 @@ if (isset($_GET['cat']) and 0 != $_GET['cat'])
 }
 
 // search a particular author
-if (isset($_GET['author']) and !empty($_GET['author']))
+if (!empty($_GET['author']))
 {
   $page['where_clauses'][] = 'com.author = \''.$_GET['author'].'\'';
 }
 
 // search a substring among comments content
-if (isset($_GET['keyword']) and !empty($_GET['keyword']))
+if (!empty($_GET['keyword']))
 {
   $page['where_clauses'][] =
     '('.
@@ -180,8 +187,8 @@ $template->set_filenames(array('comments'=>'comments.tpl'));
 $template->assign(
   array(
     'F_ACTION'=>PHPWG_ROOT_PATH.'comments.php',
-    'F_KEYWORD'=>@htmlspecialchars(stripslashes($_GET['keyword'])),
-    'F_AUTHOR'=>@htmlspecialchars(stripslashes($_GET['author'])),
+    'F_KEYWORD'=> @htmlspecialchars($_GET['keyword'], ENT_QUOTES, 'utf-8'),
+    'F_AUTHOR'=> @htmlspecialchars($_GET['author'], ENT_QUOTES, 'utf-8'),
     )
   );
 
@@ -252,8 +259,10 @@ else
 $query = '
 SELECT COUNT(DISTINCT(id))
   FROM '.IMAGE_CATEGORY_TABLE.' AS ic
-    INNER JOIN '.COMMENTS_TABLE.' AS com
+    INNER JOIN '.COMMENTS_TABLE.' AS com    
     ON ic.image_id = com.image_id
+    LEFT JOIN '.USERS_TABLE.' As u
+    ON u.'.$conf['user_fields']['id'].' = com.author_id
   WHERE '.implode('
     AND ', $page['where_clauses']).'
 ;';
@@ -290,6 +299,8 @@ SELECT com.id AS comment_id
   FROM '.IMAGE_CATEGORY_TABLE.' AS ic
     INNER JOIN '.COMMENTS_TABLE.' AS com
     ON ic.image_id = com.image_id
+    LEFT JOIN '.USERS_TABLE.' As u
+    ON u.'.$conf['user_fields']['id'].' = com.author_id
   WHERE '.implode('
     AND ', $page['where_clauses']).'
   GROUP BY comment_id
-- 
cgit v1.2.3