[pLog-svn] r4831 - plugins/branches/lifetype-1.2/templateeditor/class/action
oscar at devel.lifetype.net
oscar at devel.lifetype.net
Thu Feb 22 16:13:26 EST 2007
Author: oscar
Date: 2007-02-22 16:13:26 -0500 (Thu, 22 Feb 2007)
New Revision: 4831
Modified:
plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogupdatetemplatefileaction.class.php
plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsiteupdatetemplatefileaction.class.php
Log:
merge of the latest fix into the 1.2 branch
Modified: plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogupdatetemplatefileaction.class.php
===================================================================
--- plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogupdatetemplatefileaction.class.php 2007-02-22 21:11:32 UTC (rev 4830)
+++ plugins/branches/lifetype-1.2/templateeditor/class/action/pluginblogupdatetemplatefileaction.class.php 2007-02-22 21:13:26 UTC (rev 4831)
@@ -23,9 +23,21 @@
{
$this->AdminAction( $actionInfo, $request );
+ // fetch and sanitize parameters
$this->_templateId = $this->_request->getValue( "templateId" );
- $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+ $this->_templateId = str_replace( "/", "", $this->_templateId );
+ $this->_templateId = str_replace( "..", "", $this->_templateId );
+
+ // sanitize parameter subFolderId
+ $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+ $this->_subFolderId = str_replace( "/", "", $this->_subFolderId );
+ $this->_subFolderId = str_replace( "..", "", $this->_subFolderId );
+
+ // fetch and sanitize the "fileId" parameter
$this->_fileId = $this->_request->getValue( "fileId" );
+ $this->_fileId = str_replace( "/", "", $this->_fileId );
+ $this->_fileId = str_replace( "..", "", $this->_fileId );
+
$this->_backupId = $this->_request->getValue( "backupId" );
$this->registerFieldValidator( "fileContent", new StringValidator());
Modified: plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsiteupdatetemplatefileaction.class.php
===================================================================
--- plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsiteupdatetemplatefileaction.class.php 2007-02-22 21:11:32 UTC (rev 4830)
+++ plugins/branches/lifetype-1.2/templateeditor/class/action/pluginsiteupdatetemplatefileaction.class.php 2007-02-22 21:13:26 UTC (rev 4831)
@@ -23,11 +23,24 @@
{
$this->AdminAction( $actionInfo, $request );
+
+ // fetch and sanitize parameters
$this->_templateId = $this->_request->getValue( "templateId" );
- $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+ $this->_templateId = str_replace( "/", "", $this->_templateId );
+ $this->_templateId = str_replace( "..", "", $this->_templateId );
+
+ // sanitize parameter subFolderId
+ $this->_subFolderId = $this->_request->getValue( "subFolderId" );
+ $this->_subFolderId = str_replace( "/", "", $this->_subFolderId );
+ $this->_subFolderId = str_replace( "..", "", $this->_subFolderId );
+
+ // fetch and sanitize the "fileId" parameter
$this->_fileId = $this->_request->getValue( "fileId" );
- $this->_backupId = $this->_request->getValue( "backupId" );
+ $this->_fileId = str_replace( "/", "", $this->_fileId );
+ $this->_fileId = str_replace( "..", "", $this->_fileId );
+ $this->_backupId = $this->_request->getValue( "backupId" );
+
$this->registerFieldValidator( "fileContent", new StringValidator());
$this->registerFieldValidator( "templateId", new StringValidator());
$this->registerField( "subFolderId" );
More information about the pLog-svn
mailing list