[pLog-svn] r4830 - plugins/branches/lifetype-1.1/templateeditor/class/action

oscar at devel.lifetype.net oscar at devel.lifetype.net
Thu Feb 22 16:11:32 EST 2007


Author: oscar
Date: 2007-02-22 16:11:32 -0500 (Thu, 22 Feb 2007)
New Revision: 4830

Modified:
   plugins/branches/lifetype-1.1/templateeditor/class/action/pluginblogupdatetemplatefileaction.class.php
   plugins/branches/lifetype-1.1/templateeditor/class/action/pluginsiteupdatetemplatefileaction.class.php
Log:
Two more fixes


Modified: plugins/branches/lifetype-1.1/templateeditor/class/action/pluginblogupdatetemplatefileaction.class.php
===================================================================
--- plugins/branches/lifetype-1.1/templateeditor/class/action/pluginblogupdatetemplatefileaction.class.php	2007-02-22 21:05:20 UTC (rev 4829)
+++ plugins/branches/lifetype-1.1/templateeditor/class/action/pluginblogupdatetemplatefileaction.class.php	2007-02-22 21:11:32 UTC (rev 4830)
@@ -23,9 +23,21 @@
 		{
 			$this->BlogOwnerAdminAction( $actionInfo, $request );
 			
+			// fetch and sanitize parameters
             $this->_templateId = $this->_request->getValue( "templateId" );
-            $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+			$this->_templateId = str_replace( "/", "", $this->_templateId );
+			$this->_templateId = str_replace( "..", "", $this->_templateId );
+			
+			// sanitize parameter subFolderId
+            $this->_subFolderId = $this->_request->getValue( "subFolderId" );			
+			$this->_subFolderId = str_replace( "/", "", $this->_subFolderId );
+			$this->_subFolderId = str_replace( "..", "", $this->_subFolderId );
+
+			// fetch and sanitize the "fileId" parameter
             $this->_fileId = $this->_request->getValue( "fileId" );
+			$this->_fileId = str_replace( "/", "", $this->_fileId );
+			$this->_fileId = str_replace( "..", "", $this->_fileId );			
+
             $this->_backupId = $this->_request->getValue( "backupId" );
 
 			$this->registerFieldValidator( "fileContent", new StringValidator());

Modified: plugins/branches/lifetype-1.1/templateeditor/class/action/pluginsiteupdatetemplatefileaction.class.php
===================================================================
--- plugins/branches/lifetype-1.1/templateeditor/class/action/pluginsiteupdatetemplatefileaction.class.php	2007-02-22 21:05:20 UTC (rev 4829)
+++ plugins/branches/lifetype-1.1/templateeditor/class/action/pluginsiteupdatetemplatefileaction.class.php	2007-02-22 21:11:32 UTC (rev 4830)
@@ -23,11 +23,24 @@
 		{
 			$this->SiteAdminAction( $actionInfo, $request );
 			
+			
+			// fetch and sanitize parameters
             $this->_templateId = $this->_request->getValue( "templateId" );
-            $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+			$this->_templateId = str_replace( "/", "", $this->_templateId );
+			$this->_templateId = str_replace( "..", "", $this->_templateId );
+			
+			// sanitize parameter subFolderId
+            $this->_subFolderId = $this->_request->getValue( "subFolderId" );			
+			$this->_subFolderId = str_replace( "/", "", $this->_subFolderId );
+			$this->_subFolderId = str_replace( "..", "", $this->_subFolderId );
+
+			// fetch and sanitize the "fileId" parameter
             $this->_fileId = $this->_request->getValue( "fileId" );
-            $this->_backupId = $this->_request->getValue( "backupId" );
+			$this->_fileId = str_replace( "/", "", $this->_fileId );
+			$this->_fileId = str_replace( "..", "", $this->_fileId );			
 
+            $this->_backupId = $this->_request->getValue( "backupId" );			
+			
 			$this->registerFieldValidator( "fileContent", new StringValidator());
 			$this->registerFieldValidator( "templateId", new StringValidator());
 			$this->registerField( "subFolderId" );



More information about the pLog-svn mailing list