external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 09:43:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix potential injection vulnerability

Browse source 
We trusted the values we pulled out of the IDs array and never coerced
them to integers, passing them to the backend unescaped and uncasted.
Ensure they are treated as integers only and validate the resulting
value is > 0.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
Dan McGee 2011-03-01 12:31:35 -06:00 committed by Lukas Fleischer
parent a10ce40cbe
commit 90485e8f42
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
web/html/packages.php
View file

@ -9,7 +9,9 @@ check_sid(); # see if they're still logged in
# Set the title to the current query if required
if (isset($_GET['ID'])) {
if ($pkgname = pkgname_from_id($_GET['ID'])) { $title = $pkgname; }
if ($pkgname = pkgname_from_id($_GET['ID'])) {
$title = $pkgname;
}
} else if (!empty($_GET['K'])) {
$title = __("Search Criteria") . ": " . $_GET['K'];
} else {
@ -27,9 +29,12 @@ if (isset($_COOKIE["AURSID"])) {
$ids = array();
if (isset($_POST['IDs'])) {
foreach ($_POST['IDs'] as $id => $i) {
$id = intval($id);
if ($id > 0) {
$ids[] = $id;
}
}
}
# Determine what action to do
$output = "";