iarv/Piwigo
1
0
Fork 0
mirror of https://github.com/Piwigo/Piwigo.git synced 2026-04-30 18:42:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

fixes GHSA-jhp4-7f82-8f6q check image_order against allowed values

Browse Source
This commit is contained in:
plegall
2026-04-26 15:18:28 +02:00
parent c7e30da5c1
commit ba1f803f8c
1 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
admin/element_set_ranks.php
View File

@@ -18,6 +18,25 @@ if (!defined('PHPWG_ROOT_PATH'))
include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
$sort_fields = array(
'' => '',
'file ASC' => l10n('File name, A → Z'),
'file DESC' => l10n('File name, Z → A'),
'name ASC' => l10n('Photo title, A → Z'),
'name DESC' => l10n('Photo title, Z → A'),
'date_creation DESC' => l10n('Date created, new → old'),
'date_creation ASC' => l10n('Date created, old → new'),
'date_available DESC' => l10n('Date posted, new → old'),
'date_available ASC' => l10n('Date posted, old → new'),
'rating_score DESC' => l10n('Rating score, high → low'),
'rating_score ASC' => l10n('Rating score, low → high'),
'hit DESC' => l10n('Visits, high → low'),
'hit ASC' => l10n('Visits, low → high'),
'id ASC' => l10n('Numeric identifier, 1 → 9'),
'id DESC' => l10n('Numeric identifier, 9 → 1'),
'rank ASC' => l10n('Manual sort order'),
);
// +-----------------------------------------------------------------------+
// | Check Access and exit when user status is not ok |
// +-----------------------------------------------------------------------+
@@ -62,7 +81,7 @@ if (isset($_POST['submit']))
{
for ($i=0; $i<3; $i++)
{
if (!empty($_POST['image_order'][$i]))
if (!empty($_POST['image_order'][$i]) and in_array($_POST['image_order'][$i], array_keys($sort_fields)))
{
if (!empty($image_order)) $image_order.= ',';
$image_order.= $_POST['image_order'][$i];
@@ -188,25 +207,6 @@ if (pwg_db_num_rows($result) > 0)
}
}
// image order management
$sort_fields = array(
'' => '',
'file ASC' => l10n('File name, A &rarr; Z'),
'file DESC' => l10n('File name, Z &rarr; A'),
'name ASC' => l10n('Photo title, A &rarr; Z'),
'name DESC' => l10n('Photo title, Z &rarr; A'),
'date_creation DESC' => l10n('Date created, new &rarr; old'),
'date_creation ASC' => l10n('Date created, old &rarr; new'),
'date_available DESC' => l10n('Date posted, new &rarr; old'),
'date_available ASC' => l10n('Date posted, old &rarr; new'),
'rating_score DESC' => l10n('Rating score, high &rarr; low'),
'rating_score ASC' => l10n('Rating score, low &rarr; high'),
'hit DESC' => l10n('Visits, high &rarr; low'),
'hit ASC' => l10n('Visits, low &rarr; high'),
'id ASC' => l10n('Numeric identifier, 1 &rarr; 9'),
'id DESC' => l10n('Numeric identifier, 9 &rarr; 1'),
'rank ASC' => l10n('Manual sort order'),
);
$template->assign('image_order_options', $sort_fields);
$image_order = explode(',', isset($category['image_order']) ? $category['image_order'] : "");