adam/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-06-02 04:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

(cp ba1f803f8) fixes GHSA-jhp4-7f82-8f6q check image_order against allowed values

Browse Source
This commit is contained in:
plegall
2026-04-26 15:18:54 +02:00
parent e4f0989d35
commit ef9e65386d
1 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin/element_set_ranks.php
+20 -20
View File
@@ -18,6 +18,25 @@ if (!defined('PHPWG_ROOT_PATH'))
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php'); include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
$sort_fields = array(
'' => '',
'file ASC' => l10n('File name, A → Z'),
'file DESC' => l10n('File name, Z → A'),
'name ASC' => l10n('Photo title, A → Z'),
'name DESC' => l10n('Photo title, Z → A'),
'date_creation DESC' => l10n('Date created, new → old'),
'date_creation ASC' => l10n('Date created, old → new'),
'date_available DESC' => l10n('Date posted, new → old'),
'date_available ASC' => l10n('Date posted, old → new'),
'rating_score DESC' => l10n('Rating score, high → low'),
'rating_score ASC' => l10n('Rating score, low → high'),
'hit DESC' => l10n('Visits, high → low'),
'hit ASC' => l10n('Visits, low → high'),
'id ASC' => l10n('Numeric identifier, 1 → 9'),
'id DESC' => l10n('Numeric identifier, 9 → 1'),
'rank ASC' => l10n('Manual sort order'),
);
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
// | Check Access and exit when user status is not ok | // | Check Access and exit when user status is not ok |
// +-----------------------------------------------------------------------+ // +-----------------------------------------------------------------------+
@@ -62,7 +81,7 @@ if (isset($_POST['submit']))
{ {
for ($i=0; $i<3; $i++) for ($i=0; $i<3; $i++)
{ {
if (!empty($_POST['image_order'][$i])) if (!empty($_POST['image_order'][$i]) and in_array($_POST['image_order'][$i], array_keys($sort_fields)))
{ {
if (!empty($image_order)) $image_order.= ','; if (!empty($image_order)) $image_order.= ',';
$image_order.= $_POST['image_order'][$i]; $image_order.= $_POST['image_order'][$i];
@@ -188,25 +207,6 @@ if (pwg_db_num_rows($result) > 0)
} }
} }
// image order management // image order management
$sort_fields = array(
'' => '',
'file ASC' => l10n('File name, A &rarr; Z'),
'file DESC' => l10n('File name, Z &rarr; A'),
'name ASC' => l10n('Photo title, A &rarr; Z'),
'name DESC' => l10n('Photo title, Z &rarr; A'),
'date_creation DESC' => l10n('Date created, new &rarr; old'),
'date_creation ASC' => l10n('Date created, old &rarr; new'),
'date_available DESC' => l10n('Date posted, new &rarr; old'),
'date_available ASC' => l10n('Date posted, old &rarr; new'),
'rating_score DESC' => l10n('Rating score, high &rarr; low'),
'rating_score ASC' => l10n('Rating score, low &rarr; high'),
'hit DESC' => l10n('Visits, high &rarr; low'),
'hit ASC' => l10n('Visits, low &rarr; high'),
'id ASC' => l10n('Numeric identifier, 1 &rarr; 9'),
'id DESC' => l10n('Numeric identifier, 9 &rarr; 1'),
'rank ASC' => l10n('Manual sort order'),
);
$template->assign('image_order_options', $sort_fields); $template->assign('image_order_options', $sort_fields);
$image_order = explode(',', isset($category['image_order']) ? $category['image_order'] : ""); $image_order = explode(',', isset($category['image_order']) ? $category['image_order'] : "");