Changeset 1274

Timestamp:

02/13/06 23:12:17 (3 years ago)

Author:

mbonetti

Message:

fix for two possible security holes

Location:

trunk/rss

Files:

• feed.php (modified) (1 diff)
• init.php (modified) (1 diff)

trunk/rss/feed.php

@@ -169 +169 @@
 }
 elseif (array_key_exists('channel',$_REQUEST) || array_key_exists('folder',$_REQUEST) || array_key_exists('vfolder',$_REQUEST)) {
-    $cid= (array_key_exists('channel',$_REQUEST))?$_REQUEST['channel']:"";
-    $iid= (array_key_exists('iid',$_REQUEST))?$_REQUEST['iid']:"";
-    $fid= (array_key_exists('folder',$_REQUEST))?$_REQUEST['folder']:"";
-    $vfid= (array_key_exists('vfolder',$_REQUEST))?$_REQUEST['vfolder']:"";
-
-    $y= (array_key_exists('y',$_REQUEST))?$_REQUEST['y']:"0";
-    $m= (array_key_exists('m',$_REQUEST))?$_REQUEST['m']:"0";
-    $d= (array_key_exists('d',$_REQUEST))?$_REQUEST['d']:"0";
+    $cid= (array_key_exists('channel',$_REQUEST))?preg_replace('#\s#','',$_REQUEST['channel']):"";
+    $iid= (array_key_exists('iid',$_REQUEST))?preg_replace('#\s#','',$_REQUEST['iid']):"";
+    $fid= (array_key_exists('folder',$_REQUEST))?preg_replace('#\s#','',$_REQUEST['folder']):"";
+    $vfid= (array_key_exists('vfolder',$_REQUEST))?preg_replace('#\s#','',$_REQUEST['vfolder']):"";
+    
+    $y= (array_key_exists('y',$_REQUEST))?preg_replace('#\s#','',$_REQUEST['y']):"0";
+    $m= (array_key_exists('m',$_REQUEST))?preg_replace('#\s#','',$_REQUEST['m']):"0";
+    $d= (array_key_exists('d',$_REQUEST))?preg_replace('#\s#','',$_REQUEST['d']):"0";
 
     if ($fid) {

trunk/rss/init.php

@@ -111 +111 @@
 //
 $lang = getConfig('rss.output.lang');
-
+if (!preg_match('#^[a-zA-Z]+$#', $lang)) {
+    die('woopsie, bad lang: ' .$lang);
+}
 if ($lang && file_exists(dirname(__FILE__) . "/" . "intl/$lang.php")) {
     rss_require("intl/$lang.php");