aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--engine/lib/input.php5
-rw-r--r--engine/lib/river.php3
-rw-r--r--mod/embed/start.php6
-rw-r--r--mod/embed/views/default/embed/embed.php6
-rw-r--r--mod/embed/views/default/embed/upload/content.php1
-rw-r--r--mod/file/pages/file/search.php20
-rw-r--r--mod/messages/pages/messages/send.php2
-rw-r--r--pages/river.php8
8 files changed, 31 insertions, 20 deletions
diff --git a/engine/lib/input.php b/engine/lib/input.php
index 84752bc7d..56ec214dc 100644
--- a/engine/lib/input.php
+++ b/engine/lib/input.php
@@ -10,8 +10,13 @@
/**
* Get some input from variables passed on the GET or POST line.
*
+ * If using any data obtained from get_input() in a web page, please be aware that
+ * it is a possible vector for a reflected XSS attack. If you are expecting an
+ * integer, cast it to an int. If it is a string, escape quotes.
+ *
* Note: this function does not handle nested arrays (ex: form input of param[m][n])
* because of the filtering done in htmlawed from the filter_tags call.
+ * @todo Is this ^ still?
*
* @param string $variable The variable we want to return.
* @param mixed $default A default value for the variable if it is not found.
diff --git a/engine/lib/river.php b/engine/lib/river.php
index 36dde7f05..1a2be1e50 100644
--- a/engine/lib/river.php
+++ b/engine/lib/river.php
@@ -589,10 +589,13 @@ function elgg_river_page_handler($page) {
elgg_set_page_owner_guid(elgg_get_logged_in_user_guid());
+ // make a URL segment available in page handler script
$page_type = elgg_extract(0, $page, 'all');
+ $page_type = preg_replace('[\W]', '', $page_type);
if ($page_type == 'owner') {
$page_type = 'mine';
}
+ set_input('page_type', $page_type);
// content filter code here
$entity_type = '';
diff --git a/mod/embed/start.php b/mod/embed/start.php
index f6f1acc57..bdd832b4e 100644
--- a/mod/embed/start.php
+++ b/mod/embed/start.php
@@ -81,8 +81,10 @@ function embed_page_handler($page) {
elgg_sort_3d_array_by_value($sections, 'name');
elgg_sort_3d_array_by_value($upload_sections, 'name');
- $active_section = get_input('active_section', NULL);
- $internal_id = get_input('internal_id', NULL);
+ $active_section = get_input('active_section', '');
+ $active_section = preg_replace('[\W]', '', $active_section);
+ $internal_id = get_input('internal_id', '');
+ $internal_id = preg_replace('[\W]', '', $internal_id);
echo elgg_view('embed/embed', array(
'sections' => $sections,
diff --git a/mod/embed/views/default/embed/embed.php b/mod/embed/views/default/embed/embed.php
index 77ce03699..2d8de1ca4 100644
--- a/mod/embed/views/default/embed/embed.php
+++ b/mod/embed/views/default/embed/embed.php
@@ -10,7 +10,7 @@
*/
$sections = elgg_extract('sections', $vars, array());
-$active_section = elgg_extract('active_section', $vars, array_shift(array_keys($sections)));
+$active_section = elgg_extract('active_section', $vars, array_shift(array_keys($sections)), false);
$upload_sections = elgg_extract('upload_sections', $vars, array());
$internal_id = elgg_extract('internal_id', $vars);
@@ -20,8 +20,8 @@ if (!$sections) {
$content = elgg_view_title(elgg_echo('embed:media'));
$content .= elgg_view('embed/tabs', $vars);
- $offset = max(0, get_input('offset', 0));
- $limit = get_input('limit', 5);
+ $offset = (int)max(0, get_input('offset', 0));
+ $limit = (int)get_input('limit', 5);
// build the items and layout.
if ($active_section == 'upload' || array_key_exists($active_section, $sections)) {
diff --git a/mod/embed/views/default/embed/upload/content.php b/mod/embed/views/default/embed/upload/content.php
index 24fce8112..8bedf5ad1 100644
--- a/mod/embed/views/default/embed/upload/content.php
+++ b/mod/embed/views/default/embed/upload/content.php
@@ -4,6 +4,7 @@
*/
$upload_sections = elgg_extract('upload_sections', $vars, array());
$active_section = get_input('active_upload_section', array_shift(array_keys($upload_sections)));
+$active_section = preg_replace('[\W]', '', $active_section);
$options = array();
diff --git a/mod/file/pages/file/search.php b/mod/file/pages/file/search.php
index cffe67e0c..2242d1d7e 100644
--- a/mod/file/pages/file/search.php
+++ b/mod/file/pages/file/search.php
@@ -5,7 +5,7 @@
* @package ElggFile
*/
-$page_owner_guid = get_input('page_owner', null);
+$page_owner_guid = (int)get_input('page_owner', 0);
if ($page_owner_guid) {
elgg_set_page_owner_guid($page_owner_guid);
}
@@ -15,10 +15,10 @@ group_gatekeeper();
// Get input
$md_type = 'simpletype';
-$tag = get_input('tag');
+// avoid reflected XSS attacks by only allowing alnum characters
+$file_type = preg_replace('[\W]', '', get_input('tag'));
$listtype = get_input('listtype');
-$friends = get_input('friends', false);
-
+$friends = (bool)get_input('friends', false);
// breadcrumbs
elgg_push_breadcrumb(elgg_echo('file'), "file/all");
@@ -32,8 +32,8 @@ if ($owner) {
if ($friends && $owner) {
elgg_push_breadcrumb(elgg_echo('friends'), "file/friends/$owner->username");
}
-if ($tag) {
- elgg_push_breadcrumb(elgg_echo("file:type:$tag"));
+if ($file_type) {
+ elgg_push_breadcrumb(elgg_echo("file:type:$file_type"));
} else {
elgg_push_breadcrumb(elgg_echo('all'));
}
@@ -41,10 +41,10 @@ if ($tag) {
// title
if (!$owner) {
// world files
- $title = elgg_echo('all') . ' ' . elgg_echo("file:type:$tag");
+ $title = elgg_echo('all') . ' ' . elgg_echo("file:type:$file_type");
} else {
$friend_string = $friends ? elgg_echo('file:title:friends') : '';
- $type_string = elgg_echo("file:type:$tag");
+ $type_string = elgg_echo("file:type:$file_type");
$title = elgg_echo('file:list:title', array($owner->name, $friend_string, $type_string));
}
@@ -76,9 +76,9 @@ $params = array(
'full_view' => false,
);
-if ($tag) {
+if ($file_type) {
$params['metadata_name'] = $md_type;
- $params['metadata_value'] = $tag;
+ $params['metadata_value'] = $file_type;
$content = elgg_list_entities_from_metadata($params);
} else {
$content = elgg_list_entities($params);
diff --git a/mod/messages/pages/messages/send.php b/mod/messages/pages/messages/send.php
index 02d430df7..1b821d185 100644
--- a/mod/messages/pages/messages/send.php
+++ b/mod/messages/pages/messages/send.php
@@ -14,7 +14,7 @@ $title = elgg_echo('messages:add');
elgg_push_breadcrumb($title);
-$params = messages_prepare_form_vars(get_input('send_to'));
+$params = messages_prepare_form_vars((int)get_input('send_to'));
$params['friends'] = $page_owner->getFriends();
$content = elgg_view_form('messages/send', array(), $params);
diff --git a/pages/river.php b/pages/river.php
index fa559d59b..5770084ab 100644
--- a/pages/river.php
+++ b/pages/river.php
@@ -3,12 +3,12 @@
* Main activity stream list page
*/
-// $page_type comes from the page handler function
-
$options = array();
-$type = get_input('type', 'all');
-$subtype = get_input('subtype', '');
+$page_type = preg_replace('[\W]', '', get_input('page_type', 'all'));
+$type = preg_replace('[\W]', '', get_input('type', 'all'));
+$active_section =
+$subtype = preg_replace('[\W]', '', get_input('subtype', ''));
if ($subtype) {
$selector = "type=$type&subtype=$subtype";
} else {