Permalink
Browse files

Fixes for XSS issues in admin interface URLs.

  • Loading branch information...
1 parent 6412227 commit 10d23be64fb7506ec230ab017b671e83554e6c17 @mmakaay mmakaay committed Oct 3, 2011
View
@@ -41,7 +41,7 @@
}
// determine absolute URI for the admin
-$PHORUM["admin_http_path"] = phorum_get_current_url(false);
+$PHORUM["admin_http_path"] = phorum_api_url_current(false);
// determine http_path (at install time; after that it's in the settings)
if(!isset($PHORUM["http_path"])){
@@ -55,18 +55,22 @@ function phorum_admin_okmsg($error)
* Otherwise a single query parameter string or an array of query parameters
* to add to the URL. Note that urlencoding must be handled by the caller.
*
+ * @param boolean $return_raw
+ * When FALSE (the default), then the returned URL is HTML encoded.
+ * When TRUE, then the raw URL is returned.
+ *
* @return string
* The URL for the admin interface.
*/
-function phorum_admin_build_url($input_args = NULL)
+function phorum_admin_build_url($input_args = NULL, $return_raw = FALSE)
{
global $PHORUM;
$url = $PHORUM["admin_http_path"];
// The base URL was requested.
if ($input_args === NULL || $input_args === '') {
- return $url;
+ return $return_raw ? $url : htmlspecialchars($url);
}
// Add a set of request parameters.
@@ -91,7 +95,7 @@ function phorum_admin_build_url($input_args = NULL)
$url .= $separator . "phorum_admin_token=" . $PHORUM['admin_token'];
}
- return $url;
+ return $return_raw ? $url : htmlspecialchars($url);
}
/**
View
@@ -91,9 +91,9 @@
?>
-<script src="<?php print dirname($PHORUM['admin_http_path']) . "/javascript." . PHORUM_FILE_EXTENSION ?>?admin=1" type="text/javascript"></script>
+<script src="<?php print htmlspecialchars(dirname($PHORUM['admin_http_path']) . "/javascript." . PHORUM_FILE_EXTENSION) ?>?admin=1" type="text/javascript"></script>
-<link rel="stylesheet" type="text/css" href="<?php echo $admin_css_path; ?>" />
+<link rel="stylesheet" type="text/css" href="<?php echo htmlspecialchars($admin_css_path); ?>" />
<script type="text/javascript">
//<![CDATA[
View
@@ -48,10 +48,10 @@
if(!empty($_POST["target"])){
- $target_url = phorum_admin_build_url($_POST['target']);
+ $target_url = phorum_admin_build_url($_POST['target'], TRUE);
phorum_api_redirect($target_url);
} else {
- $redir_url = phorum_admin_build_url();
+ $redir_url = phorum_admin_build_url(NULL, TRUE);
phorum_api_redirect($redir_url);
}
exit();
View
@@ -23,7 +23,7 @@
phorum_api_user_session_destroy(PHORUM_ADMIN_SESSION);
-$redir_url = phorum_admin_build_url();
+$redir_url = phorum_admin_build_url(NULL, TRUE);
phorum_api_redirect($redir_url);
exit();
@@ -95,7 +95,7 @@
$okmsg = "Folder \"{$folder['name']}\" was successfully saved";
// The URL to redirect to.
- $url = phorum_admin_build_url(array('module=default',"parent_id=".$folder['parent_id'],'okmsg='.rawurlencode($okmsg)));
+ $url = phorum_admin_build_url(array('module=default',"parent_id=".$folder['parent_id'],'okmsg='.rawurlencode($okmsg)), TRUE);
phorum_api_redirect($url);
exit;
@@ -122,7 +122,7 @@
// Store the default settings in the database.
phorum_api_forums_save($forum, PHORUM_FLAG_DEFAULTS);
- $url = phorum_admin_build_url(array('module=forum_defaults','okmsg='.rawurlencode('The default settings were successfully saved')));
+ $url = phorum_admin_build_url(array('module=forum_defaults','okmsg='.rawurlencode('The default settings were successfully saved')), TRUE);
}
// Create or update a forum.
@@ -142,7 +142,7 @@
$okmsg = "Forum \"{$forum['name']}\" was successfully saved";
// The URL to redirect to.
- $url = phorum_admin_build_url(array('module=default',"parent_id=$forum[parent_id]", 'okmsg='.rawurlencode($okmsg)));
+ $url = phorum_admin_build_url(array('module=default',"parent_id=$forum[parent_id]", 'okmsg='.rawurlencode($okmsg)), TRUE);
}
phorum_api_redirect($url);
@@ -183,7 +183,7 @@
{
$redir_url = phorum_admin_build_url(array(
'module=update_display_names', 'request=integrity'
- ));
+ ), TRUE);
phorum_api_redirect($redir_url);
exit();
}
@@ -134,9 +134,9 @@
if ( $PHORUM['DB']->update_settings( $_POST ) ) {
- $redir = phorum_admin_build_url(array('module=settings','message=success'));
+ $redir = phorum_admin_build_url(array('module=settings','message=success'), TRUE);
if ($need_display_name_updates) {
- $redir = phorum_admin_build_url(array('module=update_display_names'));
+ $redir = phorum_admin_build_url(array('module=update_display_names'), TRUE);
}
phorum_api_redirect($redir);
exit();
View
@@ -21,7 +21,7 @@
$PHORUM['DB']->update_settings(array("status" => $_POST["status"]));
-$redir_url = phorum_admin_build_url();
+$redir_url = phorum_admin_build_url(NULL, TRUE);
phorum_api_redirect($redir_url);
exit();
@@ -41,9 +41,9 @@
} elseif(!empty($_POST['continue'])) {
if(!empty($_POST['target'])) {
- $url = phorum_admin_build_url($_POST['target']);
+ $url = phorum_admin_build_url($_POST['target'], TRUE);
} else {
- $url = phorum_admin_build_url();
+ $url = phorum_admin_build_url(NULL, TRUE);
}
phorum_api_redirect($url);
@@ -80,12 +80,12 @@
} elseif (isset($_GET['module'])) {
$module = basename($_GET['module']);
}
- $url = phorum_admin_build_url('module='.urlencode($module));
+ $url = phorum_admin_build_url('module='.urlencode($module), TRUE);
phorum_api_redirect($url);
}
$targetargs = $_SERVER['QUERY_STRING'];
- $target_html = htmlspecialchars(phorum_admin_build_url($targetargs));
+ $target_html = phorum_admin_build_url($targetargs);
$targs_html = htmlspecialchars($targetargs);
$post_url = phorum_admin_build_url();
?>
@@ -115,7 +115,7 @@
print "$update_count users of $user_count updated" ?>
</td></tr></table> <?php
- $redir = phorum_admin_build_url(array('module=update_display_names',"batch=".($batch+1),'step=2','user_count='.$user_count));
+ $redir = phorum_admin_build_url(array('module=update_display_names',"batch=".($batch+1),'step=2','user_count='.$user_count), TRUE);
?>
<script type="text/javascript">
View
@@ -91,7 +91,7 @@
} else {
$input_args = array('module=users');
if(count($page_args_array)) $input_args = array_merge($input_args,$page_args_array);
- $referrer = phorum_admin_build_url($input_args);
+ $referrer = phorum_admin_build_url($input_args, TRUE);
}
if(count($_POST))
@@ -378,10 +378,10 @@ function toggle_detail_visibility(log_id)
phorum_api_format_date($PHORUM['short_time'], $loginfo["datestamp"]).
'</td>
<td valign="middle" style="white-space:nowrap; font-size: 10px">
- <a title="Extend filter using this source" href="'.$filter_base.'&source='.urlencode($loginfo["source"]).'">'.htmlspecialchars($loginfo["source"]).'</a>
+ <a title="Extend filter using this source" href="'.htmlspecialchars($filter_base.'&source='.urlencode($loginfo["source"])).'">'.htmlspecialchars($loginfo["source"]).'</a>
</td>
<td valign="middle" style="font-size: 10px">
- <a title="Extend filter using this category" href="'.$filter_base.'&show_category['.urlencode($loginfo["category"]).']=1">'.$cat.'</a>
+ <a title="Extend filter using this category" href="'.htmlspecialchars($filter_base.'&show_category['.urlencode($loginfo["category"]).']=1').'">'.$cat.'</a>
</td>
<td valign="middle" style="font-size: 12px">'.
htmlspecialchars($message).
@@ -398,13 +398,13 @@ function toggle_detail_visibility(log_id)
<b>User info:</b><br/><br/>' .
($loginfo["user_id"]
- ? "User ID = <a title=\"Extend filter using this User ID\" href=\"$filter_base&user_id=".urlencode($loginfo["user_id"])."\">{$loginfo["user_id"]}</a>" .
+ ? "User ID = <a title=\"Extend filter using this User ID\" href=\"".htmlspecialchars("$filter_base&user_id=".urlencode($loginfo["user_id"]))."\">{$loginfo["user_id"]}</a>" .
($loginfo["username"] !== NULL
? ', username = ' . htmlspecialchars($loginfo["username"])
: '') .
'&nbsp;[&nbsp;<a target="_new" href="'.phorum_api_url(PHORUM_PROFILE_URL, $loginfo["user_id"]).'">view user\'s profile</a>&nbsp]'
: "Anonymous user") . '<br/>' .
- 'User IP address = <a title="Extend filter using this IP address" href="'.$filter_base.'&ip='.urlencode($loginfo["ip"]).'">'. $loginfo["ip"] . '</a>' .
+ 'User IP address = <a title="Extend filter using this IP address" href="'.htmlspecialchars($filter_base.'&ip='.urlencode($loginfo["ip"])).'">'. $loginfo["ip"] . '</a>' .
($loginfo["hostname"] !== NULL
? ', hostname = ' . htmlspecialchars($loginfo["hostname"])
: '') . '<br/>' .

0 comments on commit 10d23be

Please sign in to comment.