From ba7ec8e256095281099af35fb79b832051c612e6 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 2 Jul 2011 09:39:08 -0400 Subject: added note about preventing reflected XSS vulnerabilities. --- engine/lib/input.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/engine/lib/input.php b/engine/lib/input.php index 84752bc7d..56ec214dc 100644 --- a/engine/lib/input.php +++ b/engine/lib/input.php @@ -10,8 +10,13 @@ /** * Get some input from variables passed on the GET or POST line. * + * If using any data obtained from get_input() in a web page, please be aware that + * it is a possible vector for a reflected XSS attack. If you are expecting an + * integer, cast it to an int. If it is a string, escape quotes. + * * Note: this function does not handle nested arrays (ex: form input of param[m][n]) * because of the filtering done in htmlawed from the filter_tags call. + * @todo Is this ^ still? * * @param string $variable The variable we want to return. * @param mixed $default A default value for the variable if it is not found. -- cgit v1.2.3 From 44fe4374af3550676d08320927bf4824bbd43441 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 2 Jul 2011 10:04:24 -0400 Subject: fixed messages and file plugins for #3544 --- mod/file/pages/file/search.php | 20 ++++++++++---------- mod/messages/pages/messages/send.php | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/mod/file/pages/file/search.php b/mod/file/pages/file/search.php index cffe67e0c..2242d1d7e 100644 --- a/mod/file/pages/file/search.php +++ b/mod/file/pages/file/search.php @@ -5,7 +5,7 @@ * @package ElggFile */ -$page_owner_guid = get_input('page_owner', null); +$page_owner_guid = (int)get_input('page_owner', 0); if ($page_owner_guid) { elgg_set_page_owner_guid($page_owner_guid); } @@ -15,10 +15,10 @@ group_gatekeeper(); // Get input $md_type = 'simpletype'; -$tag = get_input('tag'); +// avoid reflected XSS attacks by only allowing alnum characters +$file_type = preg_replace('[\W]', '', get_input('tag')); $listtype = get_input('listtype'); -$friends = get_input('friends', false); - +$friends = (bool)get_input('friends', false); // breadcrumbs elgg_push_breadcrumb(elgg_echo('file'), "file/all"); @@ -32,8 +32,8 @@ if ($owner) { if ($friends && $owner) { elgg_push_breadcrumb(elgg_echo('friends'), "file/friends/$owner->username"); } -if ($tag) { - elgg_push_breadcrumb(elgg_echo("file:type:$tag")); +if ($file_type) { + elgg_push_breadcrumb(elgg_echo("file:type:$file_type")); } else { elgg_push_breadcrumb(elgg_echo('all')); } @@ -41,10 +41,10 @@ if ($tag) { // title if (!$owner) { // world files - $title = elgg_echo('all') . ' ' . elgg_echo("file:type:$tag"); + $title = elgg_echo('all') . ' ' . elgg_echo("file:type:$file_type"); } else { $friend_string = $friends ? elgg_echo('file:title:friends') : ''; - $type_string = elgg_echo("file:type:$tag"); + $type_string = elgg_echo("file:type:$file_type"); $title = elgg_echo('file:list:title', array($owner->name, $friend_string, $type_string)); } @@ -76,9 +76,9 @@ $params = array( 'full_view' => false, ); -if ($tag) { +if ($file_type) { $params['metadata_name'] = $md_type; - $params['metadata_value'] = $tag; + $params['metadata_value'] = $file_type; $content = elgg_list_entities_from_metadata($params); } else { $content = elgg_list_entities($params); diff --git a/mod/messages/pages/messages/send.php b/mod/messages/pages/messages/send.php index 02d430df7..1b821d185 100644 --- a/mod/messages/pages/messages/send.php +++ b/mod/messages/pages/messages/send.php @@ -14,7 +14,7 @@ $title = elgg_echo('messages:add'); elgg_push_breadcrumb($title); -$params = messages_prepare_form_vars(get_input('send_to')); +$params = messages_prepare_form_vars((int)get_input('send_to')); $params['friends'] = $page_owner->getFriends(); $content = elgg_view_form('messages/send', array(), $params); -- cgit v1.2.3 From b307bcbdc8b0f269a5408a824dc4a7c3c2e9570f Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 2 Jul 2011 10:17:56 -0400 Subject: fixed embed plugin for #3544 --- mod/embed/start.php | 6 ++++-- mod/embed/views/default/embed/embed.php | 6 +++--- mod/embed/views/default/embed/upload/content.php | 1 + 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/mod/embed/start.php b/mod/embed/start.php index f6f1acc57..bdd832b4e 100644 --- a/mod/embed/start.php +++ b/mod/embed/start.php @@ -81,8 +81,10 @@ function embed_page_handler($page) { elgg_sort_3d_array_by_value($sections, 'name'); elgg_sort_3d_array_by_value($upload_sections, 'name'); - $active_section = get_input('active_section', NULL); - $internal_id = get_input('internal_id', NULL); + $active_section = get_input('active_section', ''); + $active_section = preg_replace('[\W]', '', $active_section); + $internal_id = get_input('internal_id', ''); + $internal_id = preg_replace('[\W]', '', $internal_id); echo elgg_view('embed/embed', array( 'sections' => $sections, diff --git a/mod/embed/views/default/embed/embed.php b/mod/embed/views/default/embed/embed.php index 77ce03699..2d8de1ca4 100644 --- a/mod/embed/views/default/embed/embed.php +++ b/mod/embed/views/default/embed/embed.php @@ -10,7 +10,7 @@ */ $sections = elgg_extract('sections', $vars, array()); -$active_section = elgg_extract('active_section', $vars, array_shift(array_keys($sections))); +$active_section = elgg_extract('active_section', $vars, array_shift(array_keys($sections)), false); $upload_sections = elgg_extract('upload_sections', $vars, array()); $internal_id = elgg_extract('internal_id', $vars); @@ -20,8 +20,8 @@ if (!$sections) { $content = elgg_view_title(elgg_echo('embed:media')); $content .= elgg_view('embed/tabs', $vars); - $offset = max(0, get_input('offset', 0)); - $limit = get_input('limit', 5); + $offset = (int)max(0, get_input('offset', 0)); + $limit = (int)get_input('limit', 5); // build the items and layout. if ($active_section == 'upload' || array_key_exists($active_section, $sections)) { diff --git a/mod/embed/views/default/embed/upload/content.php b/mod/embed/views/default/embed/upload/content.php index 24fce8112..8bedf5ad1 100644 --- a/mod/embed/views/default/embed/upload/content.php +++ b/mod/embed/views/default/embed/upload/content.php @@ -4,6 +4,7 @@ */ $upload_sections = elgg_extract('upload_sections', $vars, array()); $active_section = get_input('active_upload_section', array_shift(array_keys($upload_sections))); +$active_section = preg_replace('[\W]', '', $active_section); $options = array(); -- cgit v1.2.3 From 3beedd84a7dbcf7a17a75248473302320653d231 Mon Sep 17 00:00:00 2001 From: cash Date: Sat, 2 Jul 2011 10:26:39 -0400 Subject: fixed river for #3544 --- engine/lib/river.php | 3 +++ pages/river.php | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/engine/lib/river.php b/engine/lib/river.php index 36dde7f05..1a2be1e50 100644 --- a/engine/lib/river.php +++ b/engine/lib/river.php @@ -589,10 +589,13 @@ function elgg_river_page_handler($page) { elgg_set_page_owner_guid(elgg_get_logged_in_user_guid()); + // make a URL segment available in page handler script $page_type = elgg_extract(0, $page, 'all'); + $page_type = preg_replace('[\W]', '', $page_type); if ($page_type == 'owner') { $page_type = 'mine'; } + set_input('page_type', $page_type); // content filter code here $entity_type = ''; diff --git a/pages/river.php b/pages/river.php index fa559d59b..5770084ab 100644 --- a/pages/river.php +++ b/pages/river.php @@ -3,12 +3,12 @@ * Main activity stream list page */ -// $page_type comes from the page handler function - $options = array(); -$type = get_input('type', 'all'); -$subtype = get_input('subtype', ''); +$page_type = preg_replace('[\W]', '', get_input('page_type', 'all')); +$type = preg_replace('[\W]', '', get_input('type', 'all')); +$active_section = +$subtype = preg_replace('[\W]', '', get_input('subtype', '')); if ($subtype) { $selector = "type=$type&subtype=$subtype"; } else { -- cgit v1.2.3