[pLog-svn] r3264 - in plog/branches/lifetype-1.0.4/class: action
data/validator
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Wed Apr 19 11:23:02 GMT 2006
Author: jondaley
Date: 2006-04-19 11:23:02 +0000 (Wed, 19 Apr 2006)
New Revision: 3264
Added:
plog/branches/lifetype-1.0.4/class/data/validator/templatenamevalidator.class.php
Modified:
plog/branches/lifetype-1.0.4/class/action/templateaction.class.php
Log:
ported 3259 from 1.1 to fix the xss vulnerability in template names. Any good way to figure out if there are more vulnerabilities?
Modified: plog/branches/lifetype-1.0.4/class/action/templateaction.class.php
===================================================================
--- plog/branches/lifetype-1.0.4/class/action/templateaction.class.php 2006-04-19 08:09:19 UTC (rev 3263)
+++ plog/branches/lifetype-1.0.4/class/action/templateaction.class.php 2006-04-19 11:23:02 UTC (rev 3264)
@@ -3,8 +3,9 @@
include_once( PLOG_CLASS_PATH."class/action/blogaction.class.php" );
include_once( PLOG_CLASS_PATH."class/view/templateview.class.php" );
include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
- include_once( PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
+ include_once( PLOG_CLASS_PATH."class/data/validator/templatenamevalidator.class.php" );
+
/**
* \ingroup Action
* @private
@@ -39,8 +40,12 @@
function TemplateAction( $actionInfo, $request )
{
$this->BlogAction( $actionInfo, $request );
-
- $this->registerFieldValidator( "show", new StringValidator());
+
+ $this->registerFieldValidator( "show", new TemplateNameValidator());
+
+ $view = new ErrorView( $this->_blogInfo );
+ $view->setErrorMessage( "Bad characters in the template name." );
+ $this->setValidationErrorView( $view );
$view = new ErrorView( $this->_blogInfo, "error_parameter_missing" );
$this->setValidationErrorView( $view );
}
@@ -55,17 +60,16 @@
*/
function perform()
{
- // get the value of the template we're trying to render
+ // get the value of the template we're trying to render
$templateFile = $this->_request->getValue( "show" );
- // then, check if it has any extraneous character
- if( strstr( $templateFile, ".." )) {
+ // then, check if it has any extraneous character
+ if( !$templateFile || strstr( $templateFile, ".." )) {
$this->_view = new ErrorView( $this->_blogInfo );
$this->_view->setValue( "message", "error_incorrect_parameter" );
$this->setCommonData();
return false;
}
-
// get the name of the template file and create the view
$this->_view = new TemplateView( $this->_blogInfo,
$this->_request->getValue( "show" ));
Copied: plog/branches/lifetype-1.0.4/class/data/validator/templatenamevalidator.class.php (from rev 3259, plog/trunk/class/data/validator/templatenamevalidator.class.php)
More information about the pLog-svn
mailing list