adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-02 04:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixes #847, CVE-2018-5692 protect a few user input variables

Browse Source
This commit is contained in:
plegall
2018-07-11 11:22:31 +02:00
parent 23fa4c1a73
commit 69345c06e2
5 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin.php
+1
View File
@@ -42,6 +42,7 @@ trigger_notify('loc_begin_admin');
check_status(ACCESS_ADMINISTRATOR); check_status(ACCESS_ADMINISTRATOR);
check_input_parameter('page', $_GET, false, '/^[a-zA-Z\d_-]+$/'); check_input_parameter('page', $_GET, false, '/^[a-zA-Z\d_-]+$/');
check_input_parameter('section', $_GET, false, '/^[a-z]+[a-z_\/-]*(\.php)?$/i');
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
// | Direct actions | // | Direct actions |
admin/batch_manager.php
+1
View File
@@ -42,6 +42,7 @@ include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
check_status(ACCESS_ADMINISTRATOR); check_status(ACCESS_ADMINISTRATOR);
check_input_parameter('selection', $_POST, true, PATTERN_ID); check_input_parameter('selection', $_POST, true, PATTERN_ID);
check_input_parameter('display', $_REQUEST, false, '/^(\d+|all)$/');
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
// | specific actions | // | specific actions |
admin/notification_by_mail.php
+2
View File
@@ -42,6 +42,8 @@ include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR); check_status(ACCESS_ADMINISTRATOR);
check_input_parameter('mode', $_GET, false, '/^(param|subscribe|send)$/');
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
// | Initialization | // | Initialization |
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
admin/rating.php
+1
View File
@@ -33,6 +33,7 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
check_status(ACCESS_ADMINISTRATOR); check_status(ACCESS_ADMINISTRATOR);
check_input_parameter('display', $_GET, false, PATTERN_ID);
include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php'); include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
$tabsheet = new tabsheet(); $tabsheet = new tabsheet();
admin/updates_pwg.php
+3
View File
@@ -37,7 +37,10 @@ STEP:
3 = upgrade on different branch 3 = upgrade on different branch
*/ */
$step = isset($_GET['step']) ? $_GET['step'] : 0; $step = isset($_GET['step']) ? $_GET['step'] : 0;
check_input_parameter('to', $_GET, false, '/^\d+\.\d+\.\d+$/');
$upgrade_to = isset($_GET['to']) ? $_GET['to'] : ''; $upgrade_to = isset($_GET['to']) ? $_GET['to'] : '';
$updates = new updates(); $updates = new updates();
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+