[pLog-svn] r4731 - plog/branches/lifetype-1.2/class/action
oscar at devel.lifetype.net
oscar at devel.lifetype.net
Tue Feb 13 18:48:18 EST 2007
Author: oscar
Date: 2007-02-13 18:48:18 -0500 (Tue, 13 Feb 2007)
New Revision: 4731
Modified:
plog/branches/lifetype-1.2/class/action/rssaction.class.php
Log:
Fix to the security issue reported by Matt, for LT 1.2. Those of you running the beta or a development snapshot, please upgrade asap as this is quite critical.
Modified: plog/branches/lifetype-1.2/class/action/rssaction.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/action/rssaction.class.php 2007-02-13 22:29:08 UTC (rev 4730)
+++ plog/branches/lifetype-1.2/class/action/rssaction.class.php 2007-02-13 23:48:18 UTC (rev 4731)
@@ -22,9 +22,14 @@
function RssAction( $blogInfo, $request )
{
$this->BlogAction( $blogInfo, $request );
-
+
$this->registerFieldValidator( "categoryId", new IntegerValidator(), true );
- $this->registerFieldValidator( "profile", new StringValidator(), true );
+
+ // create a StringValidator and add an extra rule to make sure that the input string contains only
+ // alphanumeric characters
+ $profileValidator = new StringValidator();
+ $profileValidator->addRule( new RegexpRule( "^([a-zA-Z0-9]*)$" ));
+ $this->registerFieldValidator( "profile", $profileValidator, true );
// generate a dummy view with nothing in it to signal an error
$view = new RssView( $this->_blogInfo, RSS_VIEW_DEFAULT_PROFILE );
@@ -63,6 +68,11 @@
// use the default profile as configured
$profile = $this->_request->getValue( "profile" );
if( $profile == "" ) $profile = $defaultProfile;
+
+ // sanitize the profile variable
+ $profile = str_replace( ".", "", $profile );
+ $profile = str_replace( "/", "", $profile );
+ $profile = str_replace( "%", "", $profile );
// fetch the category, or set it to '0' otherwise, which will mean
// fetch all the most recent posts from any category
More information about the pLog-svn
mailing list