From 69345c06e277acd78b58e561468929ae1781e694 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Wed, 11 Jul 2018 11:22:31 +0200
Subject: [PATCH] fixes #847, CVE-2018-5692 protect a few user input variables

---
 admin.php                      | 1 +
 admin/batch_manager.php        | 1 +
 admin/notification_by_mail.php | 2 ++
 admin/rating.php               | 1 +
 admin/updates_pwg.php          | 3 +++
 5 files changed, 8 insertions(+)

diff --git a/admin.php b/admin.php
index af6937881..7da423799 100644
--- a/admin.php
+++ b/admin.php
@@ -42,6 +42,7 @@ trigger_notify('loc_begin_admin');
 check_status(ACCESS_ADMINISTRATOR);
 
 check_input_parameter('page', $_GET, false, '/^[a-zA-Z\d_-]+$/');
+check_input_parameter('section', $_GET, false, '/^[a-z]+[a-z_\/-]*(\.php)?$/i');
 
 // +-----------------------------------------------------------------------+
 // | Direct actions                                                        |
diff --git a/admin/batch_manager.php b/admin/batch_manager.php
index 430a0c73e..e1ae22770 100644
--- a/admin/batch_manager.php
+++ b/admin/batch_manager.php
@@ -42,6 +42,7 @@ include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
 check_status(ACCESS_ADMINISTRATOR);
 
 check_input_parameter('selection', $_POST, true, PATTERN_ID);
+check_input_parameter('display', $_REQUEST, false, '/^(\d+|all)$/');
 
 // +-----------------------------------------------------------------------+
 // | specific actions                                                      |
diff --git a/admin/notification_by_mail.php b/admin/notification_by_mail.php
index ca3d4127c..c1a936e94 100644
--- a/admin/notification_by_mail.php
+++ b/admin/notification_by_mail.php
@@ -42,6 +42,8 @@ include_once(PHPWG_ROOT_PATH.'include/functions_mail.inc.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('mode', $_GET, false, '/^(param|subscribe|send)$/');
+
 // +-----------------------------------------------------------------------+
 // | Initialization                                                        |
 // +-----------------------------------------------------------------------+
diff --git a/admin/rating.php b/admin/rating.php
index dffced92b..fe284878f 100644
--- a/admin/rating.php
+++ b/admin/rating.php
@@ -33,6 +33,7 @@ include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
 // +-----------------------------------------------------------------------+
 check_status(ACCESS_ADMINISTRATOR);
 
+check_input_parameter('display', $_GET, false, PATTERN_ID);
 
 include_once(PHPWG_ROOT_PATH.'admin/include/tabsheet.class.php');
 $tabsheet = new tabsheet();
diff --git a/admin/updates_pwg.php b/admin/updates_pwg.php
index b1b7a2afb..c78d2a70a 100644
--- a/admin/updates_pwg.php
+++ b/admin/updates_pwg.php
@@ -37,7 +37,10 @@ STEP:
 3 = upgrade on different branch
 */
 $step = isset($_GET['step']) ? $_GET['step'] : 0;
+
+check_input_parameter('to', $_GET, false, '/^\d+\.\d+\.\d+$/');
 $upgrade_to = isset($_GET['to']) ? $_GET['to'] : '';
+
 $updates = new updates();
 
 // +-----------------------------------------------------------------------+