[pLog-svn] r6753 - in plugins/branches/lifetype-1.2/submissions: . class/action templates
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Thu Dec 4 16:16:19 EST 2008
Author: jondaley
Date: 2008-12-04 16:16:19 -0500 (Thu, 04 Dec 2008)
New Revision: 6753
Modified:
plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
plugins/branches/lifetype-1.2/submissions/class/action/adminsubmissionspluginupdatesettingsaction.class.php
plugins/branches/lifetype-1.2/submissions/pluginsubmissions.class.php
plugins/branches/lifetype-1.2/submissions/templates/submitform.template
Log:
validation security holes. also a bug in selecting the notification enable checkbox
Modified: plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php
===================================================================
--- plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php 2008-12-04 15:24:06 UTC (rev 6752)
+++ plugins/branches/lifetype-1.2/submissions/class/action/addsubmissionaction.class.php 2008-12-04 21:16:19 UTC (rev 6753)
@@ -3,6 +3,8 @@
lt_include( PLOG_CLASS_PATH."class/action/blogaction.class.php" );
lt_include( PLOG_CLASS_PATH."class/view/plugintemplatedview.class.php" );
lt_include( PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
+ lt_include( PLOG_CLASS_PATH."class/data/validator/arrayvalidator.class.php" );
+ lt_include( PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
lt_include( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
lt_include( PLOG_CLASS_PATH."class/dao/customfields/customfields.class.php" );
lt_include( PLOG_CLASS_PATH."class/dao/customfields/customfieldsvalues.class.php" );
@@ -30,31 +32,65 @@
function validate()
{
$errors = false;
+ $val1 = new StringValidator();
// these two are optional
- $this->_userName = $this->_request->getValue( "userName" );
- $this->_userEmailAddress = $this->_request->getValue( "userEmailAddress" );
-
+ $userName = $this->_request->getValue( "userName" );
+ if($userName){
+ if( !$val1->validate( $userName )) {
+ $errors["submissionUserName"] = true;
+ $message["submissionUserName"] = $this->_locale->tr("error_incorrect_user");
+ }
+ else{
+ $this->_userName = $userName;
+ }
+ }
+ $userEmailAddress = $this->_request->getValue( "userEmailAddress" );
+ if($userEmailAddress){
+ if( !$val1->validate( $userEmailAddress )) {
+ $errors["submissionUserEmailAddress"] = true;
+ $message["submissionUserEmailAddress"] = $this->_locale->tr("error_incorrect_email_address");
+ }
+ else{
+ $this->_userEmailAddress = $userEmailAddress;
+ }
+ }
+
// these ones are mandatory, of course...
- $this->_topic = $this->_request->getValue( "submissionTopic" );
- $val1 = new StringValidator();
- if( !$val1->validate( $this->_topic )) {
+ $this->_topic = "";
+ $topic = $this->_request->getValue( "submissionTopic" );
+ if( !$val1->validate( $topic )) {
$errors["submissionTopic"] = true;
$message["submissionTopic"] = $this->_locale->tr("error_submission_no_topic");
}
+ else{
+ $this->_topic = $topic;
+ }
+
- $this->_text = $this->_request->getValue( "submissionText" );
- $val2 = new StringValidator();
- if( !$val2->validate( $this->_text )) {
+ $this->_text = "";
+ $text = $this->_request->getValue( "submissionText" );
+ $config =& Config::getConfig();
+ $htmlEnabled = $config->getValue("plugin_submissions_htmlarea_enabled");
+ $val2 = new StringValidator($htmlEnabled);
+ if( !$val2->validate( $text )) {
$errors["submissionText"] = true;
$message["submissionText"] = $this->_locale->tr("error_submission_no_text");
}
+ else{
+ $this->_text = $text;
+ }
- $this->_categoryIds = $this->_request->getValue( "submissionCategory" );
- if( !is_array($this->_categoryIds)) {
+ $this->_categoryIds = "";
+ $categoryIds = $this->_request->getValue( "submissionCategory" );
+ $val3 = new ArrayValidator(new IntegerValidator());
+ if( !$val3->validate( $categoryIds )) {
$errors["submissionCategory"] = true;
- $message["submissionCategory"] = $this->_locale->tr("error_submission_no_category");
+ $message["submissionCategory"] = $this->_locale->tr("error_incorrect_category_id");
}
+ else{
+ $this->_categoryIds = $categoryIds;
+ }
if( $errors ) {
$this->_view = new PluginTemplatedView( $this->_blogInfo, "submissions", "submitform", SMARTY_VIEW_CACHE_DISABLED );
Modified: plugins/branches/lifetype-1.2/submissions/class/action/adminsubmissionspluginupdatesettingsaction.class.php
===================================================================
--- plugins/branches/lifetype-1.2/submissions/class/action/adminsubmissionspluginupdatesettingsaction.class.php 2008-12-04 15:24:06 UTC (rev 6752)
+++ plugins/branches/lifetype-1.2/submissions/class/action/adminsubmissionspluginupdatesettingsaction.class.php 2008-12-04 21:16:19 UTC (rev 6753)
@@ -11,7 +11,7 @@
var $_pluginEnabled;
var $_htmlareaEnabled;
- var $_notificationEnabled;
+ var $_notificationsEnabled;
/**
* Constructor. If nothing else, it also has to call the constructor of the parent
@@ -32,8 +32,8 @@
$this->_htmlareaEnabled = $this->_request->getValue( "htmlareaEnabled" );
$this->_htmlareaEnabled = ($this->_htmlareaEnabled != "" );
- $this->_notificationEnabled = $this->_request->getValue( "notificationEnabled" );
- $this->_notificationEnabled = ($this->_htmlareaEnabled != "" );
+ $this->_notificationsEnabled = $this->_request->getValue( "notificationsEnabled" );
+ $this->_notificationsEnabled = ($this->_notificationsEnabled != "" );
return true;
}
@@ -116,7 +116,7 @@
$blogSettings = $this->_blogInfo->getSettings();
$blogSettings->setValue( "plugin_submissions_enabled", $this->_pluginEnabled );
$blogSettings->setValue( "plugin_submissions_htmlarea_enabled", $this->_htmlareaEnabled );
- $blogSettings->setValue( "plugin_submissions_notifications_enabled", $this->_notificationEnabled );
+ $blogSettings->setValue( "plugin_submissions_notifications_enabled", $this->_notificationsEnabled );
$this->_blogInfo->setSettings( $blogSettings );
// update the settings in the db, and make sure that everything went fine
Modified: plugins/branches/lifetype-1.2/submissions/pluginsubmissions.class.php
===================================================================
--- plugins/branches/lifetype-1.2/submissions/pluginsubmissions.class.php 2008-12-04 15:24:06 UTC (rev 6752)
+++ plugins/branches/lifetype-1.2/submissions/pluginsubmissions.class.php 2008-12-04 21:16:19 UTC (rev 6753)
@@ -19,7 +19,7 @@
$this->id = "submissions";
$this->desc = "Allows visitors to submit stories to the blog.";
$this->author = "The LifeType Project";
- $this->version = "20080228";
+ $this->version = "20081204";
$this->init();
}
Modified: plugins/branches/lifetype-1.2/submissions/templates/submitform.template
===================================================================
--- plugins/branches/lifetype-1.2/submissions/templates/submitform.template 2008-12-04 15:24:06 UTC (rev 6752)
+++ plugins/branches/lifetype-1.2/submissions/templates/submitform.template 2008-12-04 21:16:19 UTC (rev 6753)
@@ -16,15 +16,16 @@
<form name="submission" method="post" action="{$url->getIndexUrl()}">
<label for="userName" style="text-align:left">{$locale->tr("your_name")}</label>
<input type="text" name="userName" value="{$userName}" style="width:100%" /><br/>
+ {if $errors.submissionUserName}<span style="background:red;color:white;font-weight:bold"> ! </span> {$message.submissionUserName}</p><br/>{/if}
<label for="userEmailAddress" style="text-align:left">{$locale->tr("your_email_address")}</label>
<input type="text" name="userEmailAddress" value="{$userEmailAddress}" style="width:100%" /><br/>
+ {if $errors.submissionUserEmailAddress}<span style="background:red;color:white;font-weight:bold"> ! </span> {$message.submissionUserEmailAddress}</p><br/>{/if}
<label for="submissionTopic" style="text-align:left">{$locale->tr("story_topic")}</label>
<input type="text" name="submissionTopic" value="{$submissionTopic}" style="width:100%" /><br/>
- {if $errors.submissionTopic}<span style="background:red;color:white;font-weight:bold"> ! </span> {$message.submissionTopic}</p>{/if}
+ {if $errors.submissionTopic}<span style="background:red;color:white;font-weight:bold"> ! </span> {$message.submissionTopic}</p><br/>{/if}
<br/>
- <br/>
<div>
<div style="width:68%;float:left;padding-right:2%">
@@ -54,4 +55,4 @@
{else}
{$locale->tr("error_submissions_not_enabled")}
{/if}
-{include file="$blogtemplate/footer.template"}
\ No newline at end of file
+{include file="$blogtemplate/footer.template"}
More information about the pLog-svn
mailing list