[pLog-svn] r3264 - in plog/branches/lifetype-1.0.4/class: action data/validator

jondaley at devel.lifetype.net jondaley at devel.lifetype.net
Wed Apr 19 11:23:02 GMT 2006 

Author: jondaley
Date: 2006-04-19 11:23:02 +0000 (Wed, 19 Apr 2006)
New Revision: 3264

Added:
   plog/branches/lifetype-1.0.4/class/data/validator/templatenamevalidator.class.php
Modified:
   plog/branches/lifetype-1.0.4/class/action/templateaction.class.php
Log:
ported 3259 from 1.1 to fix the xss vulnerability in template names.  Any good way to figure out if there are more vulnerabilities?

Modified: plog/branches/lifetype-1.0.4/class/action/templateaction.class.php
===================================================================
--- plog/branches/lifetype-1.0.4/class/action/templateaction.class.php	2006-04-19 08:09:19 UTC (rev 3263)
+++ plog/branches/lifetype-1.0.4/class/action/templateaction.class.php	2006-04-19 11:23:02 UTC (rev 3264)
@@ -3,8 +3,9 @@
 	include_once( PLOG_CLASS_PATH."class/action/blogaction.class.php" );
     include_once( PLOG_CLASS_PATH."class/view/templateview.class.php" );
     include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
-    include_once( PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
+    include_once( PLOG_CLASS_PATH."class/data/validator/templatenamevalidator.class.php" );
 
+
     /**
      * \ingroup Action
      * @private
@@ -39,8 +40,12 @@
     	function TemplateAction( $actionInfo, $request )
         {
         	$this->BlogAction( $actionInfo, $request );
-        	
-        	$this->registerFieldValidator( "show", new StringValidator());
+
+        	$this->registerFieldValidator( "show", new TemplateNameValidator());
+
+            $view = new ErrorView( $this->_blogInfo );
+            $view->setErrorMessage( "Bad characters in the template name." );
+            $this->setValidationErrorView( $view );
         	$view = new ErrorView( $this->_blogInfo, "error_parameter_missing" );
         	$this->setValidationErrorView( $view );
         }
@@ -55,17 +60,16 @@
          */
         function perform()
         {
-        	// get the value of the template we're trying to render
+                // get the value of the template we're trying to render
         	$templateFile = $this->_request->getValue( "show" );
-            // then, check if it has any extraneous character
-            if( strstr( $templateFile, ".." )) {
+                // then, check if it has any extraneous character
+            if( !$templateFile || strstr( $templateFile, ".." )) {
             	$this->_view = new ErrorView( $this->_blogInfo );
                 $this->_view->setValue( "message", "error_incorrect_parameter" );
                 $this->setCommonData();
 
                 return false;
             }	        
-	        
         	// get the name of the template file and create the view
         	$this->_view = new TemplateView( $this->_blogInfo, 
 			                                 $this->_request->getValue( "show" ));

Copied: plog/branches/lifetype-1.0.4/class/data/validator/templatenamevalidator.class.php (from rev 3259, plog/trunk/class/data/validator/templatenamevalidator.class.php)

More information about the pLog-svn mailing list