[pLog-svn] r3681 - plog/branches/lifetype-1.0.6/class/action

Oscar Renalias oscar at renalias.net
Mon Jul 17 21:16:09 GMT 2006


Mark,

since you made these changes, can you check if they're needed in 1.1?

Oscar

On 3 Jul 2006, at 19:24, mark at devel.lifetype.net wrote:

> Author: mark
> Date: 2006-07-03 16:24:24 +0000 (Mon, 03 Jul 2006)
> New Revision: 3681
>
> Modified:
>    plog/branches/lifetype-1.0.6/class/action/blogaction.class.php
>    plog/branches/lifetype-1.0.6/class/action/defaultaction.class.php
>    plog/branches/lifetype-1.0.6/class/action/ 
> viewarticleaction.class.php
> Log:
> Fixed a sql injection report in plog-svn.
>
> Modified: plog/branches/lifetype-1.0.6/class/action/ 
> blogaction.class.php
> ===================================================================
> --- plog/branches/lifetype-1.0.6/class/action/blogaction.class.php	 
> 2006-07-03 15:52:54 UTC (rev 3680)
> +++ plog/branches/lifetype-1.0.6/class/action/blogaction.class.php	 
> 2006-07-03 16:24:24 UTC (rev 3681)
> @@ -8,7 +8,8 @@
>      include_once( PLOG_CLASS_PATH."class/security/ 
> pipeline.class.php" );
>  	include_once( PLOG_CLASS_PATH."class/net/http/ 
> subdomains.class.php" );
>  	include_once( PLOG_CLASS_PATH."class/dao/referers.class.php" );
> -    include_once( PLOG_CLASS_PATH."class/dao/articles.class.php" );	
> +    include_once( PLOG_CLASS_PATH."class/dao/articles.class.php" );
> +    include_once( PLOG_CLASS_PATH."class/data/validator/ 
> integervalidator.class.php" );
>
>      /**
>       * \ingroup Action
> @@ -210,16 +211,18 @@
>          function checkDateParameter()
>          {
>          	$date = $this->_request->getValue( 'Date' );
> -        	if( $date ) {
> +        	$val = new IntegerValidator();
> +        	if( $date && $val->validate( $date ) ) {
>              	$year = substr( $date, 0, 4);
>                  $month = substr( $date, 4,2 );
>                  $day = substr( $date, 6, 2);
>              }
>              else {
> -            		$t = new Timestamp();
> -                	$year = $t->getYear();
> -                	$month = $t->getMonth();
> -                	$day = $t->getDay();
> +                $year = date('Y');
> +                // $month = $t->getMonth();
> +                $month = date('m');
> +                // $day = $t->getDay();
> +                $day = date('d');
>              }
>
>              $this->_session->setValue( 'Year', $year );
>
> Modified: plog/branches/lifetype-1.0.6/class/action/ 
> defaultaction.class.php
> ===================================================================
> --- plog/branches/lifetype-1.0.6/class/action/ 
> defaultaction.class.php	2006-07-03 15:52:54 UTC (rev 3680)
> +++ plog/branches/lifetype-1.0.6/class/action/ 
> defaultaction.class.php	2006-07-03 16:24:24 UTC (rev 3681)
> @@ -45,6 +45,10 @@
>  	
>              // value of the Date parameter from the request
>              $this->_date = $this->_request->getValue( "Date", -1 );
> +        	$val = new IntegerValidator();
> +        	if( !$val->validate( $this->_date ) ) {
> +            	$this->_date = -1;
> +            }
>
>  			$this->_categoryName = $this->_request->getValue 
> ( 'postCategoryName' );
>              $this->_categoryId = $this->_request->getValue 
> ( 'postCategoryId' );
>
> Modified: plog/branches/lifetype-1.0.6/class/action/ 
> viewarticleaction.class.php
> ===================================================================
> --- plog/branches/lifetype-1.0.6/class/action/ 
> viewarticleaction.class.php	2006-07-03 15:52:54 UTC (rev 3680)
> +++ plog/branches/lifetype-1.0.6/class/action/ 
> viewarticleaction.class.php	2006-07-03 16:24:24 UTC (rev 3681)
> @@ -61,6 +61,10 @@
>  			$this->_userId = $this->_request->getValue( "userId", -1 );
>  			$this->_userName = $this->_request->getValue( "userName" );
>  			$this->_date = $this->_request->getValue( "Date", -1 );
> +        	$val = new IntegerValidator();
> +        	if( !$val->validate( $this->_date ) ) {
> +            	$this->_date = -1;
> +            }
>  			$this->_isCommentAdded = ($this->_request->getValue( "op" ) ==  
> "AddComment" );
>  			
>  			// Caculate the correct article date period
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>



More information about the pLog-svn mailing list