external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
aurweb/web/html/packages.php
Dan McGee 90485e8f42 Fix potential injection vulnerability 
We trusted the values we pulled out of the IDs array and never coerced
them to integers, passing them to the backend unescaped and uncasted.
Ensure they are treated as integers only and validate the resulting
value is > 0.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-01 20:27:49 +01:00

95 lines
2.9 KiB
PHP
Raw Blame History

<?php
set_include_path(get_include_path() . PATH_SEPARATOR . '../lib');
include_once("aur.inc"); # access AUR common functions
set_lang(); # this sets up the visitor's language
include_once('pkgfuncs.inc'); # package specific functions
check_sid(); # see if they're still logged in
# Set the title to the current query if required
if (isset($_GET['ID'])) {
if ($pkgname = pkgname_from_id($_GET['ID'])) {
$title = $pkgname;
}
} else if (!empty($_GET['K'])) {
$title = __("Search Criteria") . ": " . $_GET['K'];
} else {
$title = __("Packages");
}
# Retrieve account type
if (isset($_COOKIE["AURSID"])) {
$atype = account_from_sid($_COOKIE["AURSID"]);
} else {
$atype = "";
}
# Grab the list of Package IDs to be operated on
$ids = array();
if (isset($_POST['IDs'])) {
foreach ($_POST['IDs'] as $id => $i) {
$id = intval($id);
if ($id > 0) {
$ids[] = $id;
}
}
}
# Determine what action to do
$output = "";
if ($_POST['action'] == "do_Flag" || isset($_POST['do_Flag'])) {
$output = pkg_flag($atype, $ids, True);
} elseif ($_POST['action'] == "do_UnFlag" || isset($_POST['do_UnFlag'])) {
$output = pkg_flag($atype, $ids, False);
} elseif ($_POST['action'] == "do_Adopt" || isset($_POST['do_Adopt'])) {
$output = pkg_adopt($atype, $ids, True);
} elseif ($_POST['action'] == "do_Disown" || isset($_POST['do_Disown'])) {
$output = pkg_adopt($atype, $ids, False);
} elseif ($_POST['action'] == "do_Vote" || isset($_POST['do_Vote'])) {
$output = pkg_vote($atype, $ids, True);
} elseif ($_POST['action'] == "do_UnVote" || isset($_POST['do_UnVote'])) {
$output = pkg_vote($atype, $ids, False);
} elseif ($_POST['action'] == "do_Delete" || isset($_POST['do_Delete'])) {
if (isset($_POST['confirm_Delete'])) {
$output = pkg_delete($atype, $ids);
unset($_GET['ID']);
}
else {
$output = __("The selected packages have not been deleted, check the confirmation checkbox.");
}
} elseif ($_POST['action'] == "do_Notify" || isset($_POST['do_Notify'])) {
$output = pkg_notify($atype, $ids);
} elseif ($_POST['action'] == "do_UnNotify" || isset($_POST['do_UnNotify'])) {
$output = pkg_notify($atype, $ids, False);
} elseif ($_POST['action'] == "do_DeleteComment" || isset($_POST["do_DeleteComment"])) {
$output = pkg_delete_comment($atype);
} elseif ($_POST['action'] == "do_ChangeCategory" || isset($_POST['do_ChangeCategory'])) {
$output = pkg_change_category($atype);
}
html_header($title);
?>
<?php if ($output): ?>
<p class="pkgoutput"><?php print $output ?></p>
<?php endif; ?>
<?php
if (isset($_GET['ID'])) {
include('pkg_search_form.php');
if (!$_GET['ID'] = intval($_GET['ID'])) {
print __("Error trying to retrieve package details.")."<br />\n";
} else {
package_details($_GET['ID'], $_COOKIE["AURSID"]);
}
} else {
if (!isset($_GET['K']) && !isset($_GET['SB'])) {
$_GET['SB'] = 'v';
$_GET['SO'] = 'd';
}
pkg_search_page($_COOKIE["AURSID"]);
}
html_footer(AUR_VERSION);
Reference in a new issue View git blame Copy permalink