[pLog-svn] r4824 - plugins/branches/lifetype-1.2/templateeditor/class/action

oscar at devel.lifetype.net oscar at devel.lifetype.net
Thu Feb 22 15:22:02 EST 2007


Author: oscar
Date: 2007-02-22 15:22:02 -0500 (Thu, 22 Feb 2007)
New Revision: 4824

Modified:
   plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogedittemplatefileaction.class.php
   plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogtemplateslistaction.class.php
   plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsiteedittemplatefileaction.class.php
   plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsitetemplateslistaction.class.php
Log:
Just to be on the safe side...


Modified: plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogedittemplatefileaction.class.php
===================================================================
--- plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogedittemplatefileaction.class.php	2007-02-22 20:17:12 UTC (rev 4823)
+++ plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogedittemplatefileaction.class.php	2007-02-22 20:22:02 UTC (rev 4824)
@@ -37,8 +37,15 @@
 		
 		function perform()
 		{
+			// fetch and sanitize parameters
             $this->_templateId = $this->_request->getValue( "templateId" );
-            $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+			$this->_templateId = str_replace( "/", "", $this->_templateId );
+			$this->_templateId = str_replace( "..", "", $this->_templateId );
+			
+			// sanitize parameter subFolderId
+            $this->_subFolderId = $this->_request->getValue( "subFolderId" );			
+			$this->_subFolderId = str_replace( "/", "", $this->_subFolderId );
+			$this->_subFolderId = str_replace( "..", "", $this->_subFolderId );
 
 			// fetch and sanitize the "fileId" parameter
             $this->_fileId = $this->_request->getValue( "fileId" );

Modified: plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogtemplateslistaction.class.php
===================================================================
--- plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogtemplateslistaction.class.php	2007-02-22 20:17:12 UTC (rev 4823)
+++ plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogtemplateslistaction.class.php	2007-02-22 20:22:02 UTC (rev 4824)
@@ -36,7 +36,10 @@
 			$this->_templateId = str_replace( "/", "", $this->_templateId );
 			$this->_templateId = str_replace( "..", "", $this->_templateId );
 
-            $this->_subFolderId = $this->_request->getValue( "subFolderId" );     
+			// sanitize parameter subFolderId
+            $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+			$this->_subFolderId = str_replace( "/", "", $this->_subFolderId );
+			$this->_subFolderId = str_replace( "..", "", $this->_subFolderId );
             
             if ( empty($this->_subFolderId) ) {
                 $this->_view = new PluginBlogTemplatesListView( $this->_blogInfo, $this->_templateId );

Modified: plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsiteedittemplatefileaction.class.php
===================================================================
--- plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsiteedittemplatefileaction.class.php	2007-02-22 20:17:12 UTC (rev 4823)
+++ plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsiteedittemplatefileaction.class.php	2007-02-22 20:22:02 UTC (rev 4824)
@@ -37,8 +37,15 @@
 		
 		function perform()
 		{
+			// fetch and sanitize parameters
             $this->_templateId = $this->_request->getValue( "templateId" );
+			$this->_templateId = str_replace( "/", "", $this->_templateId );
+			$this->_templateId = str_replace( "..", "", $this->_templateId );
+			
+			// sanitize parameter subFolderId
             $this->_subFolderId = $this->_request->getValue( "subFolderId" );			
+			$this->_subFolderId = str_replace( "/", "", $this->_subFolderId );
+			$this->_subFolderId = str_replace( "..", "", $this->_subFolderId );
 
 			// fetch and sanitize the "fileId" parameter
             $this->_fileId = $this->_request->getValue( "fileId" );

Modified: plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsitetemplateslistaction.class.php
===================================================================
--- plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsitetemplateslistaction.class.php	2007-02-22 20:17:12 UTC (rev 4823)
+++ plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsitetemplateslistaction.class.php	2007-02-22 20:22:02 UTC (rev 4824)
@@ -36,7 +36,10 @@
 			$this->_templateId = str_replace( "/", "", $this->_templateId );
 			$this->_templateId = str_replace( "..", "", $this->_templateId );
 
+			// sanitize parameter subFolderId
             $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+			$this->_subFolderId = str_replace( "/", "", $this->_subFolderId );
+			$this->_subFolderId = str_replace( "..", "", $this->_subFolderId );
             
             if ( empty($this->_subFolderId) ) {
                 $this->_view = new PluginSiteTemplatesListView( $this->_blogInfo, $this->_templateId );



More information about the pLog-svn mailing list